Re: CVS commit: pkgsrc/security/mozilla-rootcerts

To: nia <nia%NetBSD.org@localhost>
Subject: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Fri, 27 Mar 2020 19:35:21 -0400

nia <nia%NetBSD.org@localhost> writes:

> On Fri, Mar 27, 2020 at 01:33:08PM +0000, Greg Troxel wrote:
>> +NB: This package provides certificates, but does not configure them as
>> +trust anchors in any particular SSL/TLS implementation.  See also
>> +Mozilla-rootcerts-openssl for a package that configures these
>> +certificates as trust anchors in OpenSSL.
>
> Can we agree to use the phrase 'configure them as trust anchors' less?

Well, that is the accurate way to describe the situation.  This is
really about the set of CA certs that are configured as trust anchors in
the validator.

I am open to other phrasing that does not seem inaccurate to people that
actually understand the specifications.

Perhaps "install as trusted root certificates" as something that 1)
obviously means the same thing to people that understand the specs and
2) is understood by those who do not?

> This raises more questions than it answers for users who are wondering
> why curl'ing a https URL doesn't work.
>
> Since this is a package that practically every pkgsrc user will have
> installed, I don't think it makes sense to overcomplicate the
> description. The description should describe the common use case,
> that is, installing a complete set of certificates so valiation works.

Disabling validation "works" too.  The underlying situation just isn't
simple.  But I am very sympathetic to explaining things in a way that
people that don't understand will follow, as long as those that do
understand how this is supposed to work will not feel misled.

So is "install the mozillla set as trusted root certificates, so that
web site certificates signed by those root certificates will be
accepted" ok?  (That's fuzzy about intermediate CAs, but I find that
acceptable.)

> I'm not actually sure focusing on OpenSSL is helpful either, since
> other TLS implementations will use the same certificate store.

Do they?   I am not aware (and I really mean "am not awre", not "I don't
believe you") of any other TLS implementation  reading the openssl
trusted cert dir.

Follow-Ups:
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Roland Illig

References:
- CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: Greg Troxel
- Re: CVS commit: pkgsrc/security/mozilla-rootcerts
  - From: nia

Prev by Date: CVS commit: pkgsrc/lang/runawk
Next by Date: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Previous by Thread: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Next by Thread: Re: CVS commit: pkgsrc/security/mozilla-rootcerts
Indexes:

Home | Main Index | Thread Index | Old Index