On 9/23/2011 1:21 PM, m.roth at 5-cent.us wrote: > The one thing I don't understand is this: AFAIK, apache release not a > server update, but an update to the certificate chain, yanking Digitar's > CA. What, pray tell, are you talking about? I assume you mean "DigiNotar", the defunct Dutch CA? What does the complete collapse of a once-trusted CA have to do with Apache? All this noise about DigiNotar is about bogus server-side certs, and how they impact browsers and other client-side SSL users. I have heard nothing about any resulting threat to Apache. The only one I can conceive is something to do with bogus client-side certs, which seems pretty unlikely, given how rarely they are used. Additionally: - "grep -Ris diginotar /etc/pki" returns nothing. Ditto for "vasco", DigiNotar's parent organization. This file you are worried about...it apparently lives somewhere else, or does not contain these words? - Googling "diginotar site:mail-archives.apache.org" also returns nothing. So there's a threat to Apache, but no one on any of the Apache mailing lists is talking about it?