"OBATA Akio" <obata%lins.jp@localhost> writes: > How to specify/use default root certificates in pkgsrc? I think there are multiple semi-separate issues: 1) What should NetBSD base system do about configuring trust anchors? As I understand things, the only applicable software in base is openssl. /etc/openssl/certs is empty for a default install, meaning configuration of trust anchors is left to the user. This is arguably a reasonable choice from a security point of view, although lacking a bit in usability. Given the public CA mess, I don't think we can have a situation that simultaneously has good usability for those who don't want to understand and deal with this and good security properties. It would be interesting to see a survey of that other Free operating systems do. For now I propose not to try to change this. 2) What should pkgsrc do about configuring trust anchors, policy-wise. Currently we have mozilla-rootcerts, but it is a utility package that allows one to configure trust anchors, but installing it doesn't actually configure them. This is likely the difficult issue. I lean to letting the user decide policy, but making it easy. Options seem to be not installing any by default, installing the mozilla set, and defining our own set. I don't think we should define our own set. It would be reasonable to let people configure particular CAs not in the mozilla set, in particular CAcert, perhaps via an analogous cacert-rootcerts package. One option is to make mozilla-rootcerts actually configure the trust anchors (run the extract and install steps) at install time. Presumably it would depend on openssl and thus choose the right location, or the pkgsrc openssl would alias the system certs directory. If we do this, I think mozilla-rootcerts shouldn't be a dependency of any normal packages - just packages explicitly intended to configure trust anchors. Another option is to leave mozilla-rootcerts as it is, but to make it a dependency of openssl so that it's automatically installed. 3) How should the policy be implemented in terms of builtin vs. pkgsrc openssl, other TLS implementations, and gnupg2 (that does S/MIME)? Should there be a mozilla-rootcerts-foo package for each implementation (or each implementation that has a different place to look for trust anchors)? > 1. Current situation > > In security/openssl/builtin.mk: > SSLCERTS will point to builtin OpenSSSL's certs if using builtin OpenSSL, or > pkgsrc's one (depending on PKG_SYSCONFIGDIR). > buitin location list may not be complete. > > In security/mozilla-rootcerts/Makefile > SSLDIR is set almost same as above SSLCERTS (but loose logic). > > In security/mozilla-rootcerts/files/mozilla-rootcerts.sh: > using SSLDIR for OpenSSL? > using /etc/ssl/certs/ca-certificates.crt (hard-coded!) for GnuTLS? > > In security/openssl/Makefile: > PKG_SYSCONFDIR/certs will be set as default one. > > In security/gnutls/Makefile: > Not specified exactly, depending on build host configuration. > (/etc/ssl/certs/ca-certificates.crt is one of the candidates in configure > script) > > Not look at all, but it seems that packages depending on OpenSSL are using > SSLCERTS, > and GnuTLS are /etc/ssl/certs/ca-certificates.crt. It seems that if the format of [/etc/openssl/certs] is shareable across openssl/gnutls, that we should configure all implementations to use the same place, and there should be a single mechanism in pkgsrc to decide that directory. > 2. Consideration > > NetBSD does not, but some platforms already have own system default root > certificates. > But it may be ignored now if SSLCERTS or /etc/ssl/certs/ca-certificates.crt > point to wrong location, > or using OpenSSL/GnuTLS from pkgsrc. > > * Should it be used even if using OpenSSL/GnuTLS from pkgsrc? > * Should it be defined in mk/platform/${OPSYS}.mk? I think that the storage location of trust anchors should be made consistent. > * How mozilla-rootcerts should act? I tend to think that mozilla-rootcerts should actually install the trust anchor certs, but that we should prohibit packages from depending on mozilla-rootcerts. That leaves users who want to trust the CAs that mozilla provides can install mozilla-rootcerts, and others who don't want to trust that (rather vast) set can not install the package. Arguably firefox itself should use the system trust anchors, not a private set, but that's an uphill battle and a lot of work.
Attachment:
pgpEXJhjNkIQi.pgp
Description: PGP signature