Re: ca-legacy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/06/2016 11:23 AM, Michael Catanzaro wrote:
> Hi,
> 
> Is any important software (e.g. openssl, gnutls, glib-networking,
> Qt) in Fedora still relying on our legacy 1024-bit root RSA
> certificates?
> 
> I believe Fedora is currently the only distro currently shipping
> these insecure root certificates. Originally, this was a good
> choice (and big thanks to Kai Engert for making it happen) because
> they were needed for compatibility with software using OpenSSL or
> GLib sockets. Nowadays, I'm not aware of any software that still
> needs them.
> 
> Since keeping these certificates around is a serious security
> issue, I propose we remove them if nothing "important" still needs
> them.
> 
> You can test if any of your software needs these certificates by 
> running 'sudo ca-legacy disable'.
> 

Well, the problem was never software that Fedora was shipping. The
problem is Fedora *as a client*. There are unfortunately many websites
out there that are still signed by insecure certificates. We certainly
need to choose a sunset date to stop shipping those insecure CAs, but
unfortunately we can't force everyone in the world to switch to sane
certificates.

(Realistically, this won't change until 6-12 months after Google
Chrome, Microsoft Internet Explorer and Apple Safari all eliminate
those CAs). I don't have any information on if or when this will
happen, but that's just about the only way that website admins will
suddenly care enough to fix things.

(It would also be nice if the CA issuers would be kinder about just
reissuing existing certificates without a fee, but they aren't...)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlaNVUoACgkQeiVVYja6o6OnuACfUoTJvME2cRMBNIvDv4gEpy57
9HoAnAwSDYQU+wkDsBF/VeQMZ0QJcW8d
=qWyf
-----END PGP SIGNATURE-----
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux