Re: [PATCH] HTTPS/TLS CA certificates in base

To: Thor Lancelot Simon <tls%panix.com@localhost>
Subject: Re: [PATCH] HTTPS/TLS CA certificates in base
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Thu, 24 Aug 2023 05:11:28 +0000

> Date: Wed, 23 Aug 2023 16:29:21 -0400
> From: Thor Lancelot Simon <tls%panix.com@localhost>
> 
> I would like to be sure we will avoid any use of public CA's certificates
> to establish trust for upgrades of NetBSD itself, or of packages.  Otherwise,
> we will find ourselves in a situation where we can never recover if a CA
> goes rogue.

Well, right now, there's _nothing_ used to automatically verify binary
upgrades or packages, so it's already worse than the problem you're
alluding to.  (The only authenticated end-to-end path is source-only.)

With the change, the public CA certificates would be available to
validate TLS/HTTPS connections used to download sets and packages in
transit, at least (cdn-to-end, that is -- still not end-to-end).

But these will not be used to verify signatures on binary upgrades or
packages at rest (end-to-end, i.e., builder-to-end), if that's what
you're asking.

The public CA certificates may still be used _on top_, of course, by
doing downloads through HTTPS, but not for verifying signatures on the
binary sets/packages (or manifests of them) from the origin.  Separate
plans for that, more to come later.

References:
- Re: [PATCH] HTTPS/TLS CA certificates in base
  - From: Thor Lancelot Simon

Prev by Date: Re: [PATCH] HTTPS/TLS CA certificates in base
Next by Date: postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.
Previous by Thread: Re: [PATCH] HTTPS/TLS CA certificates in base
Next by Thread: postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.
Indexes:

Home | Main Index | Thread Index | Old Index