On Wed, 2016-01-06 at 12:56 -0500, Stephen Gallagher wrote: > Well, the problem was never software that Fedora was shipping. The > problem is Fedora *as a client*. There are unfortunately many > websites > out there that are still signed by insecure certificates. We > certainly > need to choose a sunset date to stop shipping those insecure CAs, but > unfortunately we can't force everyone in the world to switch to sane > certificates. Hi, Mozilla worked with CAs to ensure impact would be limited before removing the affected root certificates. Mozilla responds to bug reports on bugzilla.mozilla.org in case a particular removal has had unexpectedly large impact, but they also have telemetry in Firefox to automatically report such issues; I trust them to take action if a removal causes unexpected breakage. Any sites affected by these removals are broken in upstream Firefox. I don't see any reason Fedora software should be compatible with more sites than Firefox. I believe the value of the ca-legacy certificates outweighed the significant security risk when they improved the compatibility of Fedora software with Firefox. I was quite disappointed when, after the certificates were originally removed, various Fedora software (in particular, Epiphany) was unable to display sites that worked properly in Firefox. Nowadays, this is no longer an issue, and it seems to be a large risk for little or no benefit. > (Realistically, this won't change until 6-12 months after Google > Chrome, Microsoft Internet Explorer and Apple Safari all eliminate > those CAs). I don't have any information on if or when this will > happen, but that's just about the only way that website admins will > suddenly care enough to fix things. I think Firefox is the only browser that ships its own CA certificates. Other browsers use the certificates provided by the operating system. I have not heard of any plans from Microsoft or Apple to start removing these certificates. Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
