Michael-John Turner <mj%mjturner.net@localhost> writes: >>One view is that the admin has failed to configure the set of trust >>anchors that they want to trust, and that this isn't bug in your >>package, but a feature that CAs that the admin hasn't approved aren't >>being used. That's more or less how I see it. > > Yes, true. One obvious downside of that approach (as others have noted) is > that lots of software that uses TLS doesn't work "out the box". And > searching online for, eg, git not trusting a certificate could lead to > the "GIT_SSL_NO_VERIFY" workaround, which is not ideal. That the other view is that a particular CA cert being pre-installed as a trust anchor will lead to certs from it being accepted, which for some is a security failure and hence "does not work". We should not use the word "works" to describe "validation succeeds" in a vacuum because whether that outcome is "working" or "not working" depends on the user. >>pkgsrc has more or less taken the view that choice of trust anchors is >>up to the base system config and sysadmin decisions, and pretty clearly >>taken the view that it is not up to individual packages to change these >>decisions, although mozilla-rootcerts-openssl is provided as a tool for >>admins to make that policy choice. > > That makes sense and (IMHO) that's a sane policy. Has the decision not to > add default trust anchors in the base system been discussed/reviewed > recently? It would be rather useful if pkg_add/pkgin could support https > out the box... Both OpenBSD and FreeBSD ship with a set of trusted CAs (I'm > assuming derived mostly from the Mozilla list, although I haven't dug into > it in any detail). I recall a discussion not too long ago, which probably means within 2 years. As I see it there are multiple issues: NetBSD tends very hard to default off and fail safe, rather than fail open. This is really an argument for a question in the installer "Do you want to configure the Mozilla Root Certificates as trust anchors for openssl?" so that people can choose to or not choose to install them. I'm fuzzy on this, but: NetBSD base systems tend not to get updated very fast, and it used to be that people thought that the mozilla root set needed timely updates. That leads to either wanting to push this out of base or to have some update mechanisms like pkg-vulnerabilties. It may be that this is not really a big issue; I think CAs get kicked out of the mozilla set rarely. Changing is a lot of work. So I think it will take someone willing to do the work, and doing it so that trust anchors are only configured with admin consent. Another approach would be to add a feature to pkgin where it would have a record of whether mozilla-rootcerts-openssl has been installed, and ask the user whether they wanted to install it or not, and thereafter not ask. Probably enabled only on systems where the base system is known not to have preconfigure trust anchors. That lets pkgsrc do this for a user easily, while not overriding base policy without consent. This would probably require pkgin, mozilla-rootcerts-openssl and mozilla-rootcerts to be prestaged as part of install, but we already need pkgin, or else the same download method could be used for mozilla-rootcerts as pkgin. Also needs someone to write the code.
Attachment:
signature.asc
Description: PGP signature