Re: trust anchors and the base system

[Jan Schaumann <jschauma%netmeister.org@localhost>]

Joerg Sonnenberger <joerg%bec.de@localhost> wrote:

> I don't think that summarizes my position and what I suspect a lot of
> other people think. If you care enough, you are free to configure your
> system differently. But that's no excuse for not having a configuration
> out of the box that works well enough for 99% of humanity.

I quite agree with this.

Tools should by default validate certificates unless
explicitly asked not to.  Adding a system-wide global
DONT_VALIDATE setting strikes me as overly
complicated, requiring modifications in too many
places.

> I don't see a need for inventing a separate update mechanism, we already
> have enough mechanisms for updating /etc and the rest of the system. The
> only new part we should support IMO is /etc/ssl/certs.bad and having a
> replacement for c_rehash in shell or C that looks into that directory,
> builds a list of hashes of all certs in it and explicitly removes them
> from /etc/ssl/certs as well as skikping the creation in the future. So
> if a user thinks that "Crypto AG Trust Root" should not be trusted, they
> can copy it to that directory and it will no longer be set up as trust
> anchor.

Yep.  The way I think this might work out would be:

- pull in mozilla-root-certs by default at install time
- hash into per-file symlinks
- allow users to identify untrusted certs (e.g., as
  described above)
- allow users to add trusted certs (analogous to the
  above with s/bad/good/)
- have etcupdate update mozilla-root-certs, then
  rehash, add/remove from user preference
- allow this last step to be invoked periodically from
  e.g. /etc/daily via a security.conf setting or some such

-Jan