tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Shipping SSL certificates in the base system



Thanks to Bennie for starting off this discussion. My apologies for
derailing things with the tzdata allusion.

I think we're all aware of the nature of trust wrt these certs. So
quite why everyone is shouting "THESE CERTS MIGHT BECOME STALE OR
UNTRUSTED, SO IT IS FAR BETTER TO CONTINUE TO TRUST EVERYTHING" is a
bit beyond me.

Look, we all know the drawbacks of certs, trusting untrusted third
parties to bootstrap trust, the swamp that is revocation, expired
certs themselves, PKI, broken or exposed private keys, and many, many
other issues.

But they are better than nothing. Deal.

Best,
Alistair

On 2 July 2017 at 18:28, Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> Benny Siegert <bsiegert%gmail.com@localhost> writes:
>
>> The question of root certificates for OpenSSL in base came up recently
>> in pkgsrc. That got me thinking: why does NetBSD not come with a set
>> of certificates in the base system? The set that mozilla-rootcerts
>> delivers would be a reasonable thing to put there, because
>> (a) that’s what literally everyone ends up installing anyway and
>> (b) it does not require us to make a moral judgement about individual CAs.
>
> The comparision to tzdata is not quite right.  Timezones are just facts
> about what names mean.   The mozilla CA set, not configured as trust
> anchors, is arguably the same conceptually.  But once configured as
> trust anchors, it's a trust decision.   So it's like the ssh
> fingerprints for TNF hosts in /etc/ssh/ssh_known_hosts, but with a level
> of indirection.
>
> I agree that the perl issue is easy to address.  Maybe kre can rewrite
> the script in sh/sed/awk :-)
>
> Overall, I think this is a difficult issue.  Part of the problem is that
> the whole CA situation is a bit surreal, having a large number of CAs
> that are in theory all trustworthy when logic defies that conclusion.
> But, it is how people validate X.509.
>
> There are several questions that I think need answering as part of a
> proposal to add the mozilla set:
>
> 1) What do other Free opereating systems do?  What was their thought
> process in terms of balancing convenience, good engineering judgement
> and security?  How has it worked out?
>
> 2) Do any programs in the base system validate certificate chains, or
> fail to accept unvalidated certificates, by default?  If not, why is this
> a base issue?  Or are you also proposing to change those defaults?
>
> 3) Do other operating systems just use the mozilla set?  One
> controversial issue is the US government CA hierarchy, which I run into
> on government sites.  As I understand it, they have't met the mozilla
> criteria, but they seem well run, and the risk of government
> misbhehavior seems significant for all CAs associated with governments
> or in countries where government/CA is blurred, and I have the
> impression quite a few CAs for which government misbehavior is a
> rational concern are in the mozilla set.  Probably the same issue exists
> for other national CAs.
>
>
> I'm not really oppposed, more very reluctant to conclude this is ok, but
> I'm not sure that's rational.



Home | Main Index | Thread Index | Old Index