maya%netbsd.org@localhost writes:So, AFAIK, the only source of root certificates we have is the
mozilla-rootcerts package.
As far as I know, too. It's an interesting question whether there areother lists of CAs under a reasonable license and in use by otheropen-source entities.It uses this list maintained by Mozilla:
https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Mozilla announced they will distrust Symantec*, but haven't done this by
changing the certdata file. After asking, it turns out they document
additional changes they apply on top:
https://wiki.mozilla.org/CA/Additional_Trust_Changes
I had foolishly thought that the file of trusted root certificates wasthe list of trusted root certificates :-)I am guessing that OpenSSL and gnutls do not have this same kind ofcustom processing.I am tempted to modify the rootcerts package to distrust any CA needing
more complicated rules than "full trust". As in, manually distrust:
- Kamu SM, Turkish govenrment CA
- ANSSI, French government CA**
- Symantec
Additionally, the list of "Symantec" is very long. At the original post
it included VeriSign. It no longer seems to. I'll need to find an
updated list.
You could look in the nss source code, which seems to be what counts.Overall, it seems to me that the intent of the mozilla-rootcerts packageis to enable openssl to have configured as trust anchors the same set ofCAs that firefox would use. So if you were able to implement theirrules exactly, that seems clearly appropriate.That leaves basically two complexities:It seems there are several intermediate CAs operated by others(e.g. Apple, Google) that have presumably had separate audits, andmozilla is whitelisting them but only until October (which ispractically tomorrow). I am guessing the notion is that they aregetting (or have already) an intermediate certificate from astill-respected CA. Still, I wonder how much fallout there is whenusing the reduced certlist as you proposed.The second is that the Turkish and French CAs are in an odd position ofbeing valid for names within their own countries, but otherwise not.I'm not clear on how that ended up, but it smells of "CA doesn'tactually meet the requirements (because then it would just be listedwithout the caveat), but we're going to accept the reality that it hassignificant standing in that country). So in this case, leaving it outseems ok, but I'd like to hear from users in those countries.
It seems the French CA (IGC/A) that once was included in Mozilla root certs has been retired following its lifecyle, and there is no need to get it back. So it looks fine to follow Mozilla CA removal. Today the IGC/A is used mostly for inter ministry exchange, for government's own needs. Anyone here willing to use NetBSD with such use case would most certainly have the knowledge to include IGC/A in the trusted CA store.
Meanwhile public service websites now use industry standard CA. So one will not miss IGC/A for everyday browsing.
My guess is that it's fine as is. A bientôt ;) So have you made the modification you are tempted to make locally, and
ran with it? That would be an interesting data point too.
The other interesting question is what FreeBSD, OpenBSD, and the various
GNU/Linux distributions are doing and why.
|