ca-certificates
The world is in the process of learning just how much the NSA,
GCHQ, and the similar organizations of Canada, New Zealand and
Australia is doing to subvert ALL encrypted traffic. One thing I
read recently, is that it is possible that the NSA (with the other
4 possibly helping) has broken RC4.
Today, after an apt-get update, I see there is a new ca-
certificates available. Okay, install it. There is a dialog on
my text console for this, do you trust this handful of new
certificates? How should I know? The README file (possibly from
the June update, since I haven't finished allowing the update to
install) says that there is only a single way for updates to get
into the Debian system, they must be updates to Mozilla's trust
system. Wonderful, how do we evaluate that?
As the package is not yet installed, I don't know if there is a
changelog entry explaining where these new certificates come from,
and why we should trust them. But, the changelog entry from June
says that in that update, they are removing an expired
certificate from 2007. Is this SOP? Wait 6 years to remove an
expired certificate?
The certificate knows it is expired. Every time I apt-get update,
I get pestered about problems with the QGIS archive key. I tried
doing key maintenance with apt-key. All I did was change the
error message I get from apt-get update. Maybe when the current
QGIS key expires, the update to that will start to work again?
It would be nice if say the README.Debian file would provide
pointers to tools or protocols to evaluate these certificates.
But, if the NSA has broken RC4 and someone can prove it, I would
imagine that most certificates in ca-certificates should become
invalid very soon.
But, cryptanalysis is not my field. Numerical methods is a big
chunk of my study.
Gord
Reply to: