Hi, On 03.09.21 13:11, Simon Richter wrote: [Revocation mechanism]
We have a big hammer, shipping a new ca-certificates package. If we want something that only affects apt, but not other packages, that mechanism doesn't exist yet.If we don't have one, shouldn't we worry more about that given the widespread use of TLS?
I think that's an interesting point, not just for revocation. There are forces pushing for more agility, switching out roots of trust more frequently. So for very old releases, you usually had the signing key of the next release on disk, so you could move to the next release. In this case you sort of risk not having the TLS authority on disk to make that happen. And of course we need to track what the authorities are doing that our frontends are using (e.g. [1] around how to deal with old Android devices).
But then I'm not sure how much we need to care about ancient releases that are out of security support. We would need to commit to regularly update the certificate bundle, though.
To your other point: I don't think managing trust into individual CAs will scale. We cannot really anticipate which CAs we are going to use in the future.
Kind regards Philipp Kern [1] https://letsencrypt.org/2020/12/21/extending-android-compatibility.html