From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
Date: Tue, 03 Mar 2015 03:27:57 -0500
Message-ID: <87bnkaeb8y.fsf@netris.org>
References: <87r3u7di49.fsf@netris.org>
	<20150204123652.GA21908@debian.eduroam.u-bordeaux.fr>
	<87wq3jah2w.fsf@netris.org> <20150215091632.GA9692@debian>
	<87sie79km0.fsf@netris.org> <87mw441fdp.fsf@gnu.org>
	<87sidvhx0t.fsf@netris.org> <87zj7v2gmf.fsf_-_@gnu.org>
	<87fv9medxv.fsf_-_@netris.org>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57177)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YSiB6-0000XI-TO
	for guix-devel@gnu.org; Tue, 03 Mar 2015 03:27:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YSiB3-0002Dp-Lp
	for guix-devel@gnu.org; Tue, 03 Mar 2015 03:27:44 -0500
In-Reply-To: <87fv9medxv.fsf_-_@netris.org> (Mark H. Weaver's message of "Tue,
	03 Mar 2015 02:29:48 -0500")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

I think perhaps that we should be more selective in the certs we add to
ca-certificates.crt.  Debian has a configuration file
/etc/ca-certificates.conf, and only adds certificates that are
explicitly listed there to ca-certificates.crt.

Several of the certs in /etc/ssl/certs have comments like this:

# alias="Bogus Global Trustee"
# trust=
# distrust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION CKA_TRUST_SERVER_AUTH
# openssl-distrust=codeSigning emailProtection serverAuth

So it seems that the NSS certificate store may include known-bogus
certificates, perhaps to allow displaying a more severe security warning
than the common case of an unknown CA (e.g. self-signed certificates).

We should find out whether these Bogus untrusted CA certificates are
present in Debian's /etc/ssl/certs, and whether they are present in its
ca-certificates.conf.  We should also determine whether OpenSSL and
GnuTLS pay attention to those "distrust" comments (see above) in the
single-file certificate bundle, and whether they pay attention to them
in the smaller *.pem and hash-named files.

I will investigate later today, but if anyone is inspired to investigate
sooner and report their findings, feel free.  It could be that 993300f6c
and/or e979e6dd523 should be reverted.

      Mark