From: ludo@gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
Date: Tue, 03 Mar 2015 13:32:40 +0100 [thread overview]
Message-ID: <87a8zuntw7.fsf@gnu.org> (raw)
In-Reply-To: <87bnkaeb8y.fsf@netris.org> (Mark H. Weaver's message of "Tue, 03 Mar 2015 03:27:57 -0500")
Mark H Weaver <mhw@netris.org> skribis:
> I think perhaps that we should be more selective in the certs we add to
> ca-certificates.crt. Debian has a configuration file
> /etc/ca-certificates.conf, and only adds certificates that are
> explicitly listed there to ca-certificates.crt.
Based on what you write, I agree we should be more selective, but I’m
not sure how we can do that.
So far the approach has been to trust Mozilla’s bundle, which is
apparently not such a great idea. But what can we trust here?
> Several of the certs in /etc/ssl/certs have comments like this:
>
> # alias="Bogus Global Trustee"
> # trust=
> # distrust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION CKA_TRUST_SERVER_AUTH
> # openssl-distrust=codeSigning emailProtection serverAuth
>
> So it seems that the NSS certificate store may include known-bogus
> certificates, perhaps to allow displaying a more severe security warning
> than the common case of an unknown CA (e.g. self-signed certificates).
>
> We should find out whether these Bogus untrusted CA certificates are
> present in Debian's /etc/ssl/certs, and whether they are present in its
> ca-certificates.conf. We should also determine whether OpenSSL and
> GnuTLS pay attention to those "distrust" comments (see above) in the
> single-file certificate bundle, and whether they pay attention to them
> in the smaller *.pem and hash-named files.
Yes. If not, we may have to look for ‘distrust’ lines in our own code
and get rid of such certificates.
> I will investigate later today, but if anyone is inspired to investigate
> sooner and report their findings, feel free. It could be that 993300f6c
> and/or e979e6dd523 should be reverted.
That seems orthogonal to me. What we could do is to change
‘x509-certificates’ to default to an empty bundle, if NSS is deemed
untrustworthy.
Ludo’.
next prev parent reply other threads:[~2015-03-03 12:32 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-02 23:11 [PATCH] gnu: gnutls: Configure location of system-wide trust store Mark H Weaver
2015-02-03 0:01 ` David Thompson
2015-02-03 20:53 ` Ludovic Courtès
2015-02-03 20:57 ` Marek Benc
2015-02-04 12:36 ` Andreas Enge
2015-02-04 12:42 ` Andreas Enge
2015-02-04 15:35 ` Mark H Weaver
2015-02-05 9:59 ` Andreas Enge
2015-02-08 13:36 ` Andreas Enge
2015-02-08 14:29 ` Andreas Enge
2015-02-08 15:24 ` Andreas Enge
2015-02-08 15:59 ` Mark H Weaver
2015-02-15 5:17 ` Mark H Weaver
2015-02-15 9:16 ` Andreas Enge
2015-02-15 16:59 ` Mark H Weaver
2015-02-23 21:34 ` Ludovic Courtès
2015-02-24 20:31 ` Mark H Weaver
2015-02-25 0:25 ` Andreas Enge
2015-03-02 22:12 ` /etc/ssl/certs and the certificate bundle Ludovic Courtès
2015-03-03 2:25 ` Mark H Weaver
2015-03-03 7:29 ` [PATCHES] profiles: Produce a single-file CA " Mark H Weaver
2015-03-03 8:27 ` Mark H Weaver
2015-03-03 12:23 ` Andreas Enge
2015-03-03 12:32 ` Ludovic Courtès [this message]
2015-03-03 19:33 ` Mark H Weaver
2015-03-03 20:04 ` Ludovic Courtès
2015-03-03 12:43 ` Ludovic Courtès
2015-03-03 12:55 ` Andreas Enge
2015-03-03 20:27 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a8zuntw7.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.