On 9/23/2011 1:21 PM, m.roth@5-cent.us wrote:
The one thing I don't understand is this: AFAIK, apache release not a server update, but an update to the certificate chain, yanking Digitar's CA.
What, pray tell, are you talking about?
I assume you mean "DigiNotar", the defunct Dutch CA?
What does the complete collapse of a once-trusted CA have to do with Apache? All this noise about DigiNotar is about bogus server-side certs, and how they impact browsers and other client-side SSL users. I have heard nothing about any resulting threat to Apache. The only one I can conceive is something to do with bogus client-side certs, which seems pretty unlikely, given how rarely they are used.
Additionally:
- "grep -Ris diginotar /etc/pki" returns nothing. Ditto for "vasco", DigiNotar's parent organization. This file you are worried about...it apparently lives somewhere else, or does not contain these words?
- Googling "diginotar site:mail-archives.apache.org" also returns nothing. So there's a threat to Apache, but no one on any of the Apache mailing lists is talking about it?