[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: should ca-certificates certdata.txt synchronize across all suites?

On 2017-07-20 18:15:00, Philipp Kern wrote:
> On 07/17/2017 09:41 PM, Antoine Beaupré wrote:
>> Let's not jump the gun here. We're not shipping NSS in ca-certificates,
>> just a tiny part of it: one text file, more or less.
>
> Yeah, and the consensus of the world external to Debian seems to be that
> this might not be the smartest choice.

I'm not sure I understand what you are proposing as an alternative
here. Should we stop shipping ca-certificates? Or make it a binary
package of the NSS source package?

>> Also, what Mozilla enforced in NSS, we enforced in ca-certificates in
>> other ways, through the use of a blacklist.txt file. So we can
>> definitely fix #858539 without syncing all of NSS to wheezy.
>
> That is incorrect. nss/lib/certhigh/certvfy.c contains code specific to
> the StartCom/WoSign mitigation. Now the time has come for full distrust,
> we can sync dropping the certs entirely by adding them to blacklist.txt,
> sure. (Although they will continue to live on in the NSS source
> additionally.)

I don't understand this: how is it incorrect? #858539 applies only to
ca-certificates, and can be fixed without patching NSS.

Now to update the NSS package itself is another question, again.

> But my point stands that in the next round of distrust (say, uh,
> Symantec), we might actually need to push code changes to NSS.

Sure, but that doesn't necessarily affect ca-certificates directly, in
that we can update ca-certificates orthogonally right now.

>> The proposed patch here, is more or less only to merge that very file,
>> blacklist.txt. The *other* thing proposed to the release team (in
>> #867461) is to sync the *other* changes to certdata.txt from sid. But
>> considering *that* work seems mostly stalled, I wonder how hard to push
>> on that. Of course, we could also just decide, in LTS, to sync with
>> jessie at least: we do not need release-team approval for this. This
>> would be (let's be honest here) really to get Let's Encrypt directly in
>> wheezy, and I think it would be worthwhile.
>
> I think it's useful to phrase the goal which is:
>
> - Remove StartCom
> - Remove WoSign
> - Add Let's Encrypt
>
> Which is easier to get behind than "should we synchronize the file".

Sure. The point I was trying to make here was that we seem to be
favoring certain well-known CAs over other less well-known. I'm actually
with that (e.g. because I don't like Amazon very much), but I'm not sure
that's a position that should be reflected in our work.

> What's the timeline on Let's Encrypt dropping the cross certification?
> Is that actually planned? Because the whole point of that was that
> adding LE directly isn't actually critical. (And people should use the
> chain provided by ACME rather than relying on certificates shipped by
> Debian.)

I can't answer those questions, unfortunately, but it's a fair point.

Pabs? What was the idea behind migrating LE down to wheezy?

A.

-- 
La publicité est la dictature invisible de notre société.
                        - Jacques Ellul
Reply to: