-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/06/2016 11:23 AM, Michael Catanzaro wrote: > Hi, > > Is any important software (e.g. openssl, gnutls, glib-networking, > Qt) in Fedora still relying on our legacy 1024-bit root RSA > certificates? > > I believe Fedora is currently the only distro currently shipping > these insecure root certificates. Originally, this was a good > choice (and big thanks to Kai Engert for making it happen) because > they were needed for compatibility with software using OpenSSL or > GLib sockets. Nowadays, I'm not aware of any software that still > needs them. > > Since keeping these certificates around is a serious security > issue, I propose we remove them if nothing "important" still needs > them. > > You can test if any of your software needs these certificates by > running 'sudo ca-legacy disable'. > Well, the problem was never software that Fedora was shipping. The problem is Fedora *as a client*. There are unfortunately many websites out there that are still signed by insecure certificates. We certainly need to choose a sunset date to stop shipping those insecure CAs, but unfortunately we can't force everyone in the world to switch to sane certificates. (Realistically, this won't change until 6-12 months after Google Chrome, Microsoft Internet Explorer and Apple Safari all eliminate those CAs). I don't have any information on if or when this will happen, but that's just about the only way that website admins will suddenly care enough to fix things. (It would also be nice if the CA issuers would be kinder about just reissuing existing certificates without a fee, but they aren't...) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlaNVUoACgkQeiVVYja6o6OnuACfUoTJvME2cRMBNIvDv4gEpy57 9HoAnAwSDYQU+wkDsBF/VeQMZ0QJcW8d =qWyf -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
