[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: should ca-certificates certdata.txt synchronize across all suites?

On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
> just a tiny part of it: one text file, more or less.

Yeah, and the consensus of the world external to Debian seems to be that
this might not be the smartest choice.

> Also, what Mozilla enforced in NSS, we enforced in ca-certificates in
> other ways, through the use of a blacklist.txt file. So we can
> definitely fix #858539 without syncing all of NSS to wheezy.

That is incorrect. nss/lib/certhigh/certvfy.c contains code specific to
the StartCom/WoSign mitigation. Now the time has come for full distrust,
we can sync dropping the certs entirely by adding them to blacklist.txt,
sure. (Although they will continue to live on in the NSS source

But my point stands that in the next round of distrust (say, uh,
Symantec), we might actually need to push code changes to NSS.

> The proposed patch here, is more or less only to merge that very file,
> blacklist.txt. The *other* thing proposed to the release team (in
> #867461) is to sync the *other* changes to certdata.txt from sid. But
> considering *that* work seems mostly stalled, I wonder how hard to push
> on that. Of course, we could also just decide, in LTS, to sync with
> jessie at least: we do not need release-team approval for this. This
> would be (let's be honest here) really to get Let's Encrypt directly in
> wheezy, and I think it would be worthwhile.

I think it's useful to phrase the goal which is:

- Remove StartCom
- Remove WoSign
- Add Let's Encrypt

Which is easier to get behind than "should we synchronize the file".

What's the timeline on Let's Encrypt dropping the cross certification?
Is that actually planned? Because the whole point of that was that
adding LE directly isn't actually critical. (And people should use the
chain provided by ACME rather than relying on certificates shipped by

Kind regards
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: