tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Shipping SSL certificates in the base system

Benny Siegert <> writes:

> The question of root certificates for OpenSSL in base came up recently
> in pkgsrc. That got me thinking: why does NetBSD not come with a set
> of certificates in the base system? The set that mozilla-rootcerts
> delivers would be a reasonable thing to put there, because
> (a) that’s what literally everyone ends up installing anyway and 
> (b) it does not require us to make a moral judgement about individual CAs.

The comparision to tzdata is not quite right.  Timezones are just facts
about what names mean.   The mozilla CA set, not configured as trust
anchors, is arguably the same conceptually.  But once configured as
trust anchors, it's a trust decision.   So it's like the ssh
fingerprints for TNF hosts in /etc/ssh/ssh_known_hosts, but with a level
of indirection.

I agree that the perl issue is easy to address.  Maybe kre can rewrite
the script in sh/sed/awk :-)

Overall, I think this is a difficult issue.  Part of the problem is that
the whole CA situation is a bit surreal, having a large number of CAs
that are in theory all trustworthy when logic defies that conclusion.
But, it is how people validate X.509.

There are several questions that I think need answering as part of a
proposal to add the mozilla set:

1) What do other Free opereating systems do?  What was their thought
process in terms of balancing convenience, good engineering judgement
and security?  How has it worked out?

2) Do any programs in the base system validate certificate chains, or
fail to accept unvalidated certificates, by default?  If not, why is this
a base issue?  Or are you also proposing to change those defaults?

3) Do other operating systems just use the mozilla set?  One
controversial issue is the US government CA hierarchy, which I run into
on government sites.  As I understand it, they have't met the mozilla
criteria, but they seem well run, and the risk of government
misbhehavior seems significant for all CAs associated with governments
or in countries where government/CA is blurred, and I have the
impression quite a few CAs for which government misbehavior is a
rational concern are in the mozilla set.  Probably the same issue exists
for other national CAs.

I'm not really oppposed, more very reluctant to conclude this is ok, but
I'm not sure that's rational.

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index