I wonder if browsers will tighten permissions and stop accepting sub CA certs from those CAs listed on their spreadsheet as not having any subs..
Landry Breuil <lan...@rhaalovely.net> wrote: >On Mon, Dec 31, 2012 at 01:41:27AM -0700, Landry Breuil wrote: >> CVSROOT: /cvs >> Module name: ports >> Changes by: lan...@cvs.openbsd.org 2012/12/31 01:41:27 >> >> Modified files: >> security/nss : Makefile distinfo >> >> Log message: >> Update to nss-3.14.1.with.ckbi.1.93, which explicitely distrusts >> "TURKTRUST Mis-issued Intermediate CA 1" & "TURKTRUST Mis-issued >> Intermediate CA 2". >> (added in #768547, removed in #825022) > >And for people interested in the details of that security issue : >http://lwn.net/Articles/531346/ >https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/ >http://googleonlinesecurity.blogspot.fr/2013/01/enhancing-digital-certificate-security.html >provide more info on it. Basically, a fraudulent cert for *.google.com >was issued by an intermediate CA mistakenly issued by TURKTRUST. > >oops.