Re: more details on the last security/nss update

[Stuart Henderson]

I wonder if browsers will tighten permissions and stop accepting sub CA certs 
from those CAs listed on their spreadsheet as not having any subs..


Landry Breuil lan...@rhaalovely.net wrote:

On Mon, Dec 31, 2012 at 01:41:27AM -0700, Landry Breuil wrote:
 CVSROOT: /cvs
 Module name: ports
 Changes by:  lan...@cvs.openbsd.org  2012/12/31 01:41:27
 
 Modified files:
  security/nss   : Makefile distinfo 
 
 Log message:
 Update to nss-3.14.1.with.ckbi.1.93, which explicitely distrusts
 TURKTRUST Mis-issued Intermediate CA 1  TURKTRUST Mis-issued
 Intermediate CA 2.
 (added in #768547, removed in #825022)

And for people interested in the details of that security issue :
http://lwn.net/Articles/531346/
https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/
http://googleonlinesecurity.blogspot.fr/2013/01/enhancing-digital-certificate-security.html
provide more info on it. Basically, a fraudulent cert for *.google.com
was issued by an intermediate CA mistakenly issued by TURKTRUST.

oops.

more details on the last security/nss update

[Landry Breuil]

On Mon, Dec 31, 2012 at 01:41:27AM -0700, Landry Breuil wrote:
 CVSROOT:  /cvs
 Module name:  ports
 Changes by:   lan...@cvs.openbsd.org  2012/12/31 01:41:27
 
 Modified files:
   security/nss   : Makefile distinfo 
 
 Log message:
 Update to nss-3.14.1.with.ckbi.1.93, which explicitely distrusts
 TURKTRUST Mis-issued Intermediate CA 1  TURKTRUST Mis-issued
 Intermediate CA 2.
 (added in #768547, removed in #825022)

And for people interested in the details of that security issue :
http://lwn.net/Articles/531346/
https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/
http://googleonlinesecurity.blogspot.fr/2013/01/enhancing-digital-certificate-security.html
provide more info on it. Basically, a fraudulent cert for *.google.com
was issued by an intermediate CA mistakenly issued by TURKTRUST.

oops.