On 07/17/2017 09:41 PM, Antoine Beaupré wrote: > Let's not jump the gun here. We're not shipping NSS in ca-certificates, > just a tiny part of it: one text file, more or less. Yeah, and the consensus of the world external to Debian seems to be that this might not be the smartest choice. > Also, what Mozilla enforced in NSS, we enforced in ca-certificates in > other ways, through the use of a blacklist.txt file. So we can > definitely fix #858539 without syncing all of NSS to wheezy. That is incorrect. nss/lib/certhigh/certvfy.c contains code specific to the StartCom/WoSign mitigation. Now the time has come for full distrust, we can sync dropping the certs entirely by adding them to blacklist.txt, sure. (Although they will continue to live on in the NSS source additionally.) But my point stands that in the next round of distrust (say, uh, Symantec), we might actually need to push code changes to NSS. > The proposed patch here, is more or less only to merge that very file, > blacklist.txt. The *other* thing proposed to the release team (in > #867461) is to sync the *other* changes to certdata.txt from sid. But > considering *that* work seems mostly stalled, I wonder how hard to push > on that. Of course, we could also just decide, in LTS, to sync with > jessie at least: we do not need release-team approval for this. This > would be (let's be honest here) really to get Let's Encrypt directly in > wheezy, and I think it would be worthwhile. I think it's useful to phrase the goal which is: - Remove StartCom - Remove WoSign - Add Let's Encrypt Which is easier to get behind than "should we synchronize the file". What's the timeline on Let's Encrypt dropping the cross certification? Is that actually planned? Because the whole point of that was that adding LE directly isn't actually critical. (And people should use the chain provided by ACME rather than relying on certificates shipped by Debian.) Kind regards Philipp Kern
Attachment:
signature.asc
Description: OpenPGP digital signature