Re: trust anchors and the base system

To: tech-security%netbsd.org@localhost
Subject: Re: trust anchors and the base system
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Sat, 3 Sep 2022 00:51:16 +0200

On Fri, Sep 02, 2022 at 02:23:51PM -0400, Greg Troxel wrote:
> I don't think we have to really address this, but it's important to keep
> it in mind because sometimes people seem to think this is totally
> straightforward and that anyone who doesn't want to just install the
> mozilla set doesn't understand.

I don't think that summarizes my position and what I suspect a lot of
other people think. If you care enough, you are free to configure your
system differently. But that's no excuse for not having a configuration
out of the box that works well enough for 99% of humanity.

>   rule is that NetBSD installs the mozilla set by default and when
>   that's done, it set /etc/openssl/VALIDATE.

This is useless complexity to me and therefore an enemy of a robust
system.

>   there's some fetch/update that happens to get new versions
> 
>   there is some way that there is a config file of certs in mozilla not
>   to use, and some way to put certs that one wants as trust anchors, and
>   this is respected by the update process

There are two common ways to install trust anchors:
(1) A single ca-bundle.pem.
(2) One certificate per trust anchor, with a hashed symlink for
efficient lookup.

If you want to add or drop a certificate in the first schema, you
append/remove it to/from the file. For the second scheme, you add/drop
the symlink. Most installations nowadays prefer the second approach as
it is easier to role out custom CAs. I see little reason to divert from
this scheme.

I don't see a need for inventing a separate update mechanism, we already
have enough mechanisms for updating /etc and the rest of the system. The
only new part we should support IMO is /etc/ssl/certs.bad and having a
replacement for c_rehash in shell or C that looks into that directory,
builds a list of hashes of all certs in it and explicitly removes them
from /etc/ssl/certs as well as skikping the creation in the future. So
if a user thinks that "Crypto AG Trust Root" should not be trusted, they
can copy it to that directory and it will no longer be set up as trust
anchor.

Joerg

Follow-Ups:
- Re: trust anchors and the base system
  - From: Jan Schaumann

References:
- trust anchors and the base system
  - From: Greg Troxel

Prev by Date: Re: trust anchors and the base system
Next by Date: Re: trust anchors and the base system
Previous by Thread: Re: trust anchors and the base system
Next by Thread: Re: trust anchors and the base system
Indexes:

Home | Main Index | Thread Index | Old Index