tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: system default root certificates?

"OBATA Akio" <> writes:

> How to specify/use default root certificates in pkgsrc?

I think there are multiple semi-separate issues:

1) What should NetBSD base system do about configuring trust anchors?
As I understand things, the only applicable software in base is openssl.
/etc/openssl/certs is empty for a default install, meaning configuration
of trust anchors is left to the user.  This is arguably a reasonable
choice from a security point of view, although lacking a bit in
usability.  Given the public CA mess, I don't think we can have a
situation that simultaneously has good usability for those who don't
want to understand and deal with this and good security properties.  It
would be interesting to see a survey of that other Free operating
systems do.  For now I propose not to try to change this.

2) What should pkgsrc do about configuring trust anchors, policy-wise.
Currently we have mozilla-rootcerts, but it is a utility package that
allows one to configure trust anchors, but installing it doesn't
actually configure them.   This is likely the difficult issue.
I lean to letting the user decide policy, but making it easy.

Options seem to be not installing any by default, installing the mozilla
set, and defining our own set.  I don't think we should define our own
set.  It would be reasonable to let people configure particular CAs not
in the mozilla set, in particular CAcert, perhaps via an analogous
cacert-rootcerts package.

  One option is to make mozilla-rootcerts actually configure the trust
  anchors (run the extract and install steps) at install time.
  Presumably it would depend on openssl and thus choose the right
  location, or the pkgsrc openssl would alias the system certs
  directory.  If we do this, I think mozilla-rootcerts shouldn't be a
  dependency of any normal packages - just packages explicitly intended
  to configure trust anchors.

  Another option is to leave mozilla-rootcerts as it is, but to make it
  a dependency of openssl so that it's automatically installed.

3) How should the policy be implemented in terms of builtin vs. pkgsrc
openssl, other TLS implementations, and gnupg2 (that does S/MIME)?
Should there be a mozilla-rootcerts-foo package for each implementation
(or each implementation that has a different place to look for trust

> 1. Current situation
> In security/openssl/
>   SSLCERTS will point to builtin OpenSSSL's certs if using builtin OpenSSL, or
>   pkgsrc's one (depending on PKG_SYSCONFIGDIR).
>   buitin location list may not be complete.
> In security/mozilla-rootcerts/Makefile
>   SSLDIR is set almost same as above SSLCERTS (but loose logic).
> In security/mozilla-rootcerts/files/
>   using SSLDIR for OpenSSL?
>   using /etc/ssl/certs/ca-certificates.crt (hard-coded!) for GnuTLS?
> In security/openssl/Makefile:
>   PKG_SYSCONFDIR/certs will be set as default one.
> In security/gnutls/Makefile:
>   Not specified exactly, depending on build host configuration.
>   (/etc/ssl/certs/ca-certificates.crt is one of the candidates in configure 
> script)
> Not look at all, but it seems that packages depending on OpenSSL are using 
> and GnuTLS are /etc/ssl/certs/ca-certificates.crt.

It seems that if the format of [/etc/openssl/certs] is shareable across
openssl/gnutls, that we should configure all implementations to use the
same place, and there should be a single mechanism in pkgsrc to decide
that directory.

> 2. Consideration
> NetBSD does not, but some platforms already have own system default root 
> certificates.
> But it may be ignored now if SSLCERTS or /etc/ssl/certs/ca-certificates.crt 
> point to wrong location,
> or using OpenSSL/GnuTLS from pkgsrc.
>  * Should it be used even if using OpenSSL/GnuTLS from pkgsrc?
>  * Should it be defined in mk/platform/${OPSYS}.mk?

I think that the storage location of trust anchors should be made consistent.

>  * How mozilla-rootcerts should act?

I tend to think that mozilla-rootcerts should actually install the trust
anchor certs, but that we should prohibit packages from depending on
mozilla-rootcerts.   That leaves users who want to trust the CAs that
mozilla provides can install mozilla-rootcerts, and others who don't
want to trust that (rather vast) set can not install the package.

Arguably firefox itself should use the system trust anchors, not a
private set, but that's an uphill battle and a lot of work.

Attachment: pgpEXJhjNkIQi.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index