I wonder if browsers will tighten permissions and stop accepting sub CA certs
from those CAs listed on their spreadsheet as not having any subs..
Landry Breuil lan...@rhaalovely.net wrote:
On Mon, Dec 31, 2012 at 01:41:27AM -0700, Landry Breuil wrote:
CVSROOT: /cvs
Module name: ports
Changes by: lan...@cvs.openbsd.org 2012/12/31 01:41:27
Modified files:
security/nss : Makefile distinfo
Log message:
Update to nss-3.14.1.with.ckbi.1.93, which explicitely distrusts
TURKTRUST Mis-issued Intermediate CA 1 TURKTRUST Mis-issued
Intermediate CA 2.
(added in #768547, removed in #825022)
And for people interested in the details of that security issue :
http://lwn.net/Articles/531346/
https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/
http://googleonlinesecurity.blogspot.fr/2013/01/enhancing-digital-certificate-security.html
provide more info on it. Basically, a fraudulent cert for *.google.com
was issued by an intermediate CA mistakenly issued by TURKTRUST.
oops.