[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users |
|
Date: |
Mon, 07 May 2012 18:15:54 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.3) Gecko/20120329 Icedove/10.0.3 |
On 05/07/2012 12:35 PM, Richard Moore wrote:
>> Are there ways to identify the trust purpose of those certificates?
>> Is there any intention to standardize something like that, so we don't
>> end up with our own trust?
>
> All the certs are trusted for all purposes in this scheme (subject to
> the keyusage flags they contain).
The problem is that there is no particular scheme and the keyusage
flags are set by the CA, not by the one who trusts the certificate.
Because verisign has a certificate that says it is appropriate for
signing e-mail, it doesn't mean that I want to trust it.
regards,
Nikos
Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users, Sam Varshavchik, 2012/05/07
Re: Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users, Ludwig Nussel, 2012/05/07