Re: Shipping SSL certificates in the base system

To: tech-userlevel%NetBSD.org@localhost
Subject: Re: Shipping SSL certificates in the base system
From: Jan Danielsson <jan.m.danielsson%gmail.com@localhost>
Date: Tue, 4 Jul 2017 23:02:01 +0200

On 07/04/17 21:15, Benny Siegert wrote:
>>   There are other stories as well, but that's a good illustration of
>> why it's a bad idea to just hand over a bunch of CA's to users without
>> any mechanism for keeping the CA database, and CRL's, up to date.
> 
> I expected this argument, but it is finally irrelevant. This is because most users do one of two things:
> 
> (a) do nothing and effectively trust all certificates, because none are installed;
> (b) install the mozilla-rootcerts package and trust the mozilla set.
> Maybe add
> (c) users who consciously select a subset of those certificates — probably a tiny minority> Compare with root certificates in the base system:
> Users in (a) gain cert verification. Users in group (b) do not have to do a manual step. Users in group (c) lose nothing, because they still can futz with root certificates manually.
> 
> I assert that having a somewhat outdated set of Mozilla’s root certificates is better than having none at all and implicitly trusting everyone — or worse, trusting no one and having, say, Mercurial refuse to clone repos over https by default.

   Perhaps, but I think you're mixing two different issues together.

   If users choose to disable certificate verification, that's on them.

   If TNF takes on the role of a trusted CA source, then that implies a
lot of responsibility that they don't currently have.  They can't say
"here, have a bundle of outdated root certificates; we ship them only so
that some programs will shut up." -- that's irresponsible and it's
certain to cause unflattering comments.

   Don't take me wrong, I want a solution which would make the X509
experience in NetBSD smoother.  But being a trusted CA source means
splotlight and willingness to answer questions if something goes wrong.
I wouldn't be willing to take on that responsibility myself, so I'm not
going to ask TNF to do it.  (Though I would obviously be delighted if
they assigned a Chief PKI Officer role and offered a proper CA
distribution solution).

   With all that being said, you're not wrong about the complexities of
X509 actually lowering security in many instances, but it's still the
user's choice to do so.

-- 
Kind Regards,
Jan Danielsson

Follow-Ups:
- Re: Shipping SSL certificates in the base system
  - From: Alistair Crooks
- Re: Shipping SSL certificates in the base system
  - From: Pierre Pronchery

References:
- Shipping SSL certificates in the base system
  - From: Benny Siegert
- Re: Shipping SSL certificates in the base system
  - From: Joerg Sonnenberger
- Re: Shipping SSL certificates in the base system
  - From: Emmanuel Dreyfus
- Re: Shipping SSL certificates in the base system
  - From: David Holland
- Re: Shipping SSL certificates in the base system
  - From: Jan Danielsson
- Re: Shipping SSL certificates in the base system
  - From: Benny Siegert

Prev by Date: Re: LLDB: Sanitizing the debugger's runtime
Next by Date: Re: Shipping SSL certificates in the base system
Previous by Thread: Re: Shipping SSL certificates in the base system
Next by Thread: Re: Shipping SSL certificates in the base system
Indexes:

Home | Main Index | Thread Index | Old Index