Re: [tlug] firefox SSL certs

[Darren Cook <darren@example.com>]

>> But it turns out the .0 files (that are new) are just symbolic links to
>> .pem files (that are not), and the linked filename tells me as much as I
>> need to know. (BTW, the deleted .o file seems to correspond with the
>> deleted DigiNotar_Root_CA.pem.)
> 
> Given that DigiNotar was hacked and their certs revoked, wouldn't you
> expect changes?

Nope; I'm fine with that.

It is the other changes/additions that happened at the same time that
are confusing me.

After a little more googling, I think what has happened is c_rehash got
run yesterday (presumably by the firefox package update) and therefore
created hashes for a couple of certificates that have been added since
whenever it was last run. ("UbuntuOne-Go_Daddy" is one of them, and
dates back to 2011-04-15, so it seems c_rehash does not get run very often!)

And, regarding, packet ownership, the certificates for almost all of
them are actually kept under /usr/share/ca-certificates/ which is owned
by the ca-certificates package. So, the "problem" was simply that symbol
links are not package-owned. It'd be nice if apt-file had an option to
follow symlinks.

So, satisfied I've just checked all the changes into git. Thanks for the
replies and education. :-)

Darren


-- 
Darren Cook, Software Researcher/Developer

http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)