Re: Shipping SSL certificates in the base system

[Jan Danielsson <jan.m.danielsson%gmail.com@localhost>]

On 07/03/17 03:01, David Holland wrote:
> On Mon, Jul 03, 2017 at 12:56:38AM +0000, Emmanuel Dreyfus wrote:
>  > On Mon, Jul 03, 2017 at 12:45:17AM +0200, Joerg Sonnenberger wrote:
>  > > The only problem I see is that outdated timezone data doesn't
>  > > necessarily have a real world impact. Outdated root CAs can.
>  > 
>  > Most of the time, outdated things in a system is dangerous. Known 
>  > security vulnearbilities accumulate over the time, and outdated
>  > CA are just a bit of that problem. 
>  > 
>  > Oudated stuff that is not a security hazard, like timezone data,
>  > is rather scarce.
> 
> Most outdated stuff is also not as serious a hazard as bad CA keys.

   Case in point:
https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/

   Short version for those who don't want to visit the link and haven't
followed the story:  People asked Symantec for server certificates of
domains they didn't actually own, and they were given them.  Mozilla and
Google were not amused.

   There are other stories as well, but that's a good illustration of
why it's a bad idea to just hand over a bunch of CA's to users without
any mechanism for keeping the CA database, and CRL's, up to date.

   Mozilla and Google like to update their browsers every few hours,
which is annoying, but at least it helps keep the PKI datastore up to date.

-- 
Kind regards,
Jan Danielsson