tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Mozilla rootcerts




Le 18 août 2018 à 16:08, Greg Troxel <gdt%lexort.com@localhost> a écrit :


maya%netbsd.org@localhost writes:

So, AFAIK, the only source of root certificates we have is the
mozilla-rootcerts package.

As far as I know, too.  It's an interesting question whether there are
other lists of CAs under a reasonable license and in use by other
open-source entities.

It uses this list maintained by Mozilla:
https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Mozilla announced they will distrust Symantec*, but haven't done this by
changing the certdata file. After asking, it turns out they document
additional changes they apply on top:
https://wiki.mozilla.org/CA/Additional_Trust_Changes

I had foolishly thought that the file of trusted root certificates was
the list of trusted root certificates :-)

I am guessing that OpenSSL and gnutls do not have this same kind of
custom processing.

I am tempted to modify the rootcerts package to distrust any CA needing
more complicated rules than "full trust". As in, manually distrust:
- Kamu SM, Turkish govenrment CA
- ANSSI, French government CA**
- Symantec

Additionally, the list of "Symantec" is very long. At the original post
it included VeriSign. It no longer seems to. I'll need to find an
updated list.

You could look in the nss source code, which seems to be what counts.

Overall, it seems to me that the intent of the mozilla-rootcerts package
is to enable openssl to have configured as trust anchors the same set of
CAs that firefox would use.  So if you were able to implement their
rules exactly, that seems clearly appropriate.

That leaves basically two complexities:

It seems there are several intermediate CAs operated by others
(e.g. Apple, Google) that have presumably had separate audits, and
mozilla is whitelisting them but only until October (which is
practically tomorrow).  I am guessing the notion is that they are
getting (or have already) an intermediate certificate from a
still-respected CA.  Still, I wonder how much fallout there is when
using the reduced certlist as you proposed.

The second is that the Turkish and French CAs are in an odd position of
being valid for names within their own countries, but otherwise not.
I'm not clear on how that ended up, but it smells of "CA doesn't
actually meet the requirements (because then it would just be listed
without the caveat), but we're going to accept the reality that it has
significant standing in that country).  So in this case, leaving it out
seems ok, but I'd like to hear from users in those countries.


It seems the French CA (IGC/A) that once was included in Mozilla root certs has been retired following its lifecyle, and there is no need to get it back. So it looks fine to follow Mozilla CA removal.
Today the IGC/A is used mostly for inter ministry exchange, for government's own needs.
Anyone here willing to use NetBSD with such use case would most certainly have the knowledge to include IGC/A in the trusted CA store.

Meanwhile public service websites now use industry standard CA. So one will not miss IGC/A for everyday browsing.

My guess is that it's fine as is.
A bientôt ;)

So have you made the modification you are tempted to make locally, and
ran with it?  That would be an interesting data point too.

The other interesting question is what FreeBSD, OpenBSD, and the various
GNU/Linux distributions are doing and why.


Home | Main Index | Thread Index | Old Index