guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCHES] profiles: Produce a single-file CA certificate bundle


From: Mark H Weaver
Subject: Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
Date: Tue, 03 Mar 2015 03:27:57 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)

I think perhaps that we should be more selective in the certs we add to
ca-certificates.crt.  Debian has a configuration file
/etc/ca-certificates.conf, and only adds certificates that are
explicitly listed there to ca-certificates.crt.

Several of the certs in /etc/ssl/certs have comments like this:

# alias="Bogus Global Trustee"
# trust=
# distrust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION 
CKA_TRUST_SERVER_AUTH
# openssl-distrust=codeSigning emailProtection serverAuth

So it seems that the NSS certificate store may include known-bogus
certificates, perhaps to allow displaying a more severe security warning
than the common case of an unknown CA (e.g. self-signed certificates).

We should find out whether these Bogus untrusted CA certificates are
present in Debian's /etc/ssl/certs, and whether they are present in its
ca-certificates.conf.  We should also determine whether OpenSSL and
GnuTLS pay attention to those "distrust" comments (see above) in the
single-file certificate bundle, and whether they pay attention to them
in the smaller *.pem and hash-named files.

I will investigate later today, but if anyone is inspired to investigate
sooner and report their findings, feel free.  It could be that 993300f6c
and/or e979e6dd523 should be reverted.

      Mark



reply via email to

[Prev in Thread] Current Thread [Next in Thread]