[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mozilla's CNNIC white list: anything to do with ca-certificates ?

2015-09-09 1:00 GMT+02:00 Michael Shuler <michael@pbandjelly.org>:
On 09/08/2015 05:05 PM, Jérémy Lal wrote:

i'm packaging nodejs 4.0.0, which contains CNNICHashWhitelist.inc,
related to https://bugzilla.mozilla.org/show_bug.cgi?id=1151512

This file is non-dfsg in itself (it's not preferred form for modification),
but i don't really understand what it is.

>From the best of my reading, it's restricting Firefox from validating any cert signed by CNNIC except those on the provided whitelist. I don't see where this was included in NSS.

FYI the debian nodejs package itself uses the files from ca-certificates,
not the ones bundled in it.
Is this CNNIC white list something meaningful in that case ?

ca-certificates is very little beyond the mozilla CA bundle and a method for users to select the CAs they wish to trust/distrust. There is no library, just root certs. CNNIC is one of those root certs. If a user does not want to trust a CA, then can disable it. Unfortunately, there is no middle ground.

This whitelist is one of those grey area things that Mozilla has started doing in code outside of the root CA bundle, instead of just invalidating the root CA completely. There's nothing that can really be done in the ca-certificates package, since it's boolean; trust or not. This means there is not an exact parity between what Firefox may validate (or not) and software that uses the Debian ca-certificates trusted root CA list. NSS, on the other hand, may have gotten the same whitelist logic as Firefox - I don't know.

Is it meaningful? CNNIC is a trusted CA by default, so certs will validate. If someone waves their arms because we don't invalidate something exactly the same way as Firefox, then we need a library of some sort to do that, like NSS, which means re-writing software like nodejs to link against it, etc. Not sure if it's worth the effort - and users that don't trust CNNIC can simply disable that CA completely.

Let me know if that helps (or not)!  :^)

It does, thank you a lot.
Apparently nodejs is doing that work of filtering itself !
Depending on the dfsg status of the generated file i'll disable that
functionnality, or not.

cc-ing to -devel in case someone is interested.


Reply to: