Re: ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 31.10.2014 um 15:53 schrieb Nikos Mavrogiannopoulos:
On Fri, 2014-10-31 at 09:49 -0500, Michael Catanzaro wrote:
We should work with the upstream OpenSSL and the GnuTLS projects,
and
motivate them to implement more advanced path building. This would
be a
long term project.
Is there some issue with gnutls in F21? As far as I understand it
should
work as expected with the certificates removed.

It works as expected in the sense that GnuTLS can no longer handle major
web sites like Amazon and Kickstarter, this being the natural
consequence of removing a root before the certificates issued by it have
expired....

Are you sure that this is the case with the current package? My F21 can
no longer connect to network to test, but gnutls in it should
reconstruct the chain similarly to what nss does (not very similarly to
be precise but the end result should be the same). If it is not the case
please report it as bug and I'll check it out.

the point is that if somebody buys a certificate for 6 years he may have a checklist when to change them and if some 3rd party decides to remove the CA certificate -> game over for users of that 3rd party

from where will you "reconstruct the chain"?

* webserver a) has a certificate for 6 years
* the issuer is CA b) which you remove
* you make that certificate invalid by intention
* frankly, that certificate still shows "i am valid until"
* that certificate would have to be replaced
* that won't happen in many cases

you can hope and expect that large internet copmanies are doing that in a timely manner, but you *really really* can not expect that from anybody out there and you won't notice small websites and other services breaking caused by that

the worst case is that somebody with no technical clue installed the certificate, becomes very few complaints, verfies that it works everywhere and claims Fedora to be broken - and frankly he is just right with that claim because nobody but the CA is in the position to revoke CA certs which are valid

there is a difference in CA's call back certificates and force there users to re-new their certificates or a random OS supplier just removes them from the chain - the CA normally knows which certificates are issued for which customer with a specific CA certificate - the blind butcher making CA certificates invalid don't know

the whole CA trust idea is broken by design, but you won't fix it by remove vaild CA certificates *without coordinate that with the affected CA and make sure all affected customer certificates are replaced*

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux