Brief bits from the evolving ipsCA failure
Some bits on various aspects of the ipsCA root certificate failure.
First, I've seen comments that the new ipsCA CA root certificate should be included in the next update of Firefox. However, I've now found the Mozilla bug about this (via Jeff Ballard), and it makes it seem very unlikely that the root certificate is going to be included in the near future (especially as ipsCA apparently had problems even before this). Interested people can watch Mozilla's CA:Schedule wiki page.
(Here I pause to admire the very long list of CAs asking for inclusion in Firefox et al. I admit that it makes me vaguely nervous. Also, since I just looked this up, it appears that the certificate list for Firefox is in security/nss/lib/ckfw/builtins/certdata.txt in the Firefox source tree. When built, it is embedded in the NSS shared library or DLL.)
Due to this I now have a useful pointer to a bunch of SSL resources. Looking at the complicated procedure for verifying SSL certificate chains makes me wish for a simple utility that read all bundled SSL certificates including in a SSL handshake and then reported any surprise in the Not After expiry dates (chained certificates should never expire in the wrong order, where a certificate 'up' the chain expires before your SSL certificate).
(Then you'd want to configure all of your machines to include the full certificate chain for your CA in their SSL responses.)
So far I am somewhat surprised by how little turmoil and noise there has been about this. If there's going to be much, it may start on January 4th when a lot of universities start up again after the Christmas break. (After all, it was entirely coincidence and luck that I found out about this when I did.)
(Interestingly, Twitter is much more active about this than than the bits of the blogosphere that I can easily search. This may mean something.)