Re: Shipping SSL certificates in the base system

[Jan Danielsson <jan.m.danielsson%gmail.com@localhost>]

On 07/06/17 02:04, Alistair Crooks wrote:
> Distributing mozilla root certs is hardly "TNF takes on the role of a
> trusted CA source".

   Granted, I'm a biased because of $dayjob, but in my view someone
handing me a bunch of CA certificates as part of an installation is by
definition taking on the role of a trusted CA source.  I assume you
disagree -- the question is: If there's an incident due to outdated and
compromised root CA's, which view will the security community take --
yours or mine?  (To be perfectly honest, I'm way too biased to be able
to answer it objectively, but I ask readers consider this perspective).

   (Also, don't misread "trusted CA source" as "CA issuer" -- completely
different entities).

> And we need to start thinking laterally here. Certs are necessarily
> transitory, and we wish any form of added trust to be enduring over a
> period of time.
> 
> + Can we use ssh fingerprints of project machines as part of the
> trust-booting procedure, or as a light form of 2FA?
> + Can we ship just a subset of root certs to get, in a trusted way, to
> NetBSD.org, and then download (with a bit more assurance than just a
> straight HTTP GET request) an updated set of mozilla root certs?
> + Can we ship a full set of root certs, as a bootstrap mechanism to
> getting a more up to date set? What is the fallback in this case - no
> service?
> + Can we talk have the certs mirrored, and use a number of similar
> replies from untrusted sources as a bootstrap mechanism?
> + Do we put all of our eggs in one basket, pin the cert, and then rely
> on that being the one true way?
> + How should true revocation be done?
> + root certs which are signed with NetBSD ssh host keys could be an
> interesting area of opportunity
> + Everything else I've forgotten

   Everything you list here is essentially a sign of you wanting TNF to
be a trusted CA source, so you've made me very confused with regards to
what your objection was(?).

   If you [as in TNF] are willing to set that up (a means to distribute
a CA bundle securely, vouch for it, and provide a mechanism for users to
keep it up-to-date and verify its correctness), I'd be very pleased
(This is something I've wanted for a long time).  I'm just against the
idea of "let's ship a bundle of outdated certs, with no means of keeping
them up-to-date, just to shut programs up.", which was my interpretation
of the original suggestion.  (Your reply made it clear that I hadn't
made that point sufficiently clear in my previous posts).

   I like the direction you're taking this; please don't take my posts
as discouragement.

-- 
Kind regards,
Jan Danielsson