Re: [PATCHES] profiles: Produce a single-file CA certificate bundle

[Ludovic Courtès]

Mark H Weaver <address@hidden> skribis:

> I think perhaps that we should be more selective in the certs we add to
> ca-certificates.crt.  Debian has a configuration file
> /etc/ca-certificates.conf, and only adds certificates that are
> explicitly listed there to ca-certificates.crt.

Based on what you write, I agree we should be more selective, but I’m
not sure how we can do that.

So far the approach has been to trust Mozilla’s bundle, which is
apparently not such a great idea.  But what can we trust here?

> Several of the certs in /etc/ssl/certs have comments like this:
>
> # alias="Bogus Global Trustee"
> # trust=
> # distrust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION 
> CKA_TRUST_SERVER_AUTH
> # openssl-distrust=codeSigning emailProtection serverAuth
>
> So it seems that the NSS certificate store may include known-bogus
> certificates, perhaps to allow displaying a more severe security warning
> than the common case of an unknown CA (e.g. self-signed certificates).
>
> We should find out whether these Bogus untrusted CA certificates are
> present in Debian's /etc/ssl/certs, and whether they are present in its
> ca-certificates.conf.  We should also determine whether OpenSSL and
> GnuTLS pay attention to those "distrust" comments (see above) in the
> single-file certificate bundle, and whether they pay attention to them
> in the smaller *.pem and hash-named files.

Yes.  If not, we may have to look for ‘distrust’ lines in our own code
and get rid of such certificates.

> I will investigate later today, but if anyone is inspired to investigate
> sooner and report their findings, feel free.  It could be that 993300f6c
> and/or e979e6dd523 should be reverted.

That seems orthogonal to me.  What we could do is to change
‘x509-certificates’ to default to an empty bundle, if NSS is deemed
untrustworthy.

Ludo’.