Suman Jana reported that GnuTLS, deviating from the documented behavior, considers a version 1 intermediate certificate as a CA certificate by default. The oldstable distribution is not affected by this problem as X.509 version 1 trusted CA certificates are not allowed by default.