On Mon, 2014-09-08 at 09:00 -0500, Michael Catanzaro wrote: > On Mon, 2014-09-08 at 10:06 +0200, Nikos Mavrogiannopoulos wrote: > > Unfortunately only NSS works. Both openssl and gnutls fail to connect to > > popular sites because of that change. It should not be assumed that the > > users of ca-certificates are only programs using nss. > > [1] is an interesting read. I get the impression that certificates are > being removed as long as there is a compatible replacement that NSS can > validate, based on NSS's custom strategies for certificate validation. > Is this claim accurate? Yes. Getting phased out old, weak 1024-bit root CA certificates is difficult work, because there are so many issued certificates that still chain up to them. If we wanted to wait for all of them to expire, it would take many additional years, until users were safe from attackers trying to generate certificates that appear to have valid signatures from CA certificates that use a weak signing key. Bridge CA certificates are a common way to enable transitioning from old CA to newer CA certificates, while keeping compatibility. Shipping intermediate CA certificates to help find software find alternative trust chain is a good solution, in my opinion, and indeed is used by upstream to clean up the Mozilla CA list, while keeping compatibility. In my opinion, if other software cannot find the alternative trust chains, that's a bug. I think it's good that we have started experimenting with these removals in the testing areas of Fedora, because it raises awareness of these issues, and hopefully can bring higher priority to getting OpenSSL and GnuTLS enhanced. But given the heavy complaints, maybe it's necessary that we delay shipping the upstream removals into stable Fedora a little longer, until we have a better solution (either by having OpenSSL/GnuTLS enhanced, or maybe by implementing a way that enables users/admins to re-enable legacy CA certificates). Kai -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
