[gentoo-dev] Gentoo and Root CAs

[gentoo-dev] Gentoo and Root CAs

[Tobias Klausmann]

Hey,

Ryan Sleevi, who's working on Chromium and is familiar with other
project's Root Cert programs has written an article on how he
perceives assorted distributions handle Root CAs:

https://plus.google.com/u/0/105761279104103278252/posts/eVdB6X3NpPg

"""
[...]
Debian: From [5]. According to README.debian, to get a CA
included, all you need is two or three people to support you.

Gentoo: From [6] Same as Debian. Note they also modify other
packages (such as dev-libs/nss) to inject root certs into other
programs' root stores.
[...]
References:
[5] http://packages.debian.org/squeeze/all/ca-certificates
[6] http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-misc/ca-certificates/
"""

Now before you reply, RTFA. Also note that while my own opinion
on the matter is irrelevant, I _do_ think that his concerns need
to be addressed, particularly the second half of his statement.


Regards,
Tobias

Re: [gentoo-dev] Gentoo and Root CAs

[Kevin Chadwick]

On Mon, 31 Dec 2012 15:42:39 +0100
Tobias Klausmann <klausman@gentoo.org> wrote:

>  I _do_ think that his concerns need
> to be addressed, particularly the second half of his statement.

Whilst I agree that if it does debians system shouldn't undermine
mozillas. I think the latest efforts are a pointless bandaid but I'm
sure better solutions should come if we can get around the CAs wanting
to make money issue.

"Can you prove you know what certificates were issued, to whom, and who
authorized them?" Accountability 101! It's not perfect, but it's a huge
step forward from "Oh, this guy I know says its cool"

Is it really. Introducing trust on people we don't know and can't
possibly verify (yes I know the procedures that you could argue badly
are better than none). 

What SSL protects is data between two servers and all that is required
is to ensure that you are talking securely to the server or domain name
you have chosen trust. Anything else is simply adding vectors of attack
and false senses of security. I thought DNSSEC maybe extremely useful
for ssl but it seems it may well just be the best available option
at the moment as DNSSEC could do with an overhaul too first.

Re: [gentoo-dev] Gentoo and Root CAs

[Rich Freeman]

On Mon, Dec 31, 2012 at 9:42 AM, Tobias Klausmann <klausman@gentoo.org> wrote:
> Now before you reply, RTFA. Also note that while my own opinion
> on the matter is irrelevant, I _do_ think that his concerns need
> to be addressed, particularly the second half of his statement.

SSL Certificate Authorities are a mess.  Grab your favorite
browser/phone/etc and take a look at the list of trusted authorities
and tell me if you have even heard of half of them.  If you look at
the list on a mobile device that is more than a year old or so most
likely it still has the compromised Diginotar certificates still on
it, since nobody bothers to update most of these devices after they
are sold (one or two brands notwithstanding).

Mozilla of course happily packaged the Diginotar certificates because
they paid the substantial fee and had the stack of paper that
demonstrated that at one point in time they at least had something
that resembled secure operations during a cursory audit.  They have
been steadily blocking providers like CACert for just as long as they
had not demonstrated proper security theater.  As far as I'm aware,
the latter hasn't been handing out certificates for everything from
GMail to Hotmail to random hackers.

The certificates that Gentoo distributes have at least been vouched
for by somebody who is a part of our community, which is more than can
be said for most of the upstream certificates.

The bottom line is that if you care about security that much, you will
de-list all the CAs on your system and do your own audits (routinely),
or white-list individual website certificates (again after whatever
level of due diligence you feel is appropriate).  Perhaps you might
even hire somebody to do this work for you, but it will be somebody
you actually pay, and who will therefore treat you as a customer.
Make no mistake, you are NOT the customer of the CAs in your browser -
you are their product, sold to various companies for $200/yr or
whatever the going rate is.  It really isn't that much different from
advertising, if you want to get your message out, then you pay the
gatekeepers for the privilege.

My suggestion is to leave things alone, and by all means have a
disclaimer on the ca-certificates package as Debian does.  I'd rather
not bundle any certificates than be a party to the
hand-over-$10k-for-the-right-to-MITM-random-websites game.

Rich

Re: [gentoo-dev] Gentoo and Root CAs

[Dirkjan Ochtman]

On Tue, Jan 1, 2013 at 1:44 AM, Rich Freeman <rich0@gentoo.org> wrote:
> The certificates that Gentoo distributes have at least been vouched
> for by somebody who is a part of our community, which is more than can
> be said for most of the upstream certificates.

And you think "vouched for" by some community member is better than
Mozilla's audit process, however limiting it may be?

Yes, the CA system is broken, but it's what we've got for now. It
seems obvious that including fewer CA roots in our base package is a
better solution than including more of them, since (a) it's pretty
easy for our users to install more of them, including at scale (via an
overlay), and (b) actual security of a CA probably goes down
exponentially as you move towards CA's with a lower level of trust
placed in them by organizations like Mozilla.

Speaking of which, say what you will about Mozilla's broken criteria
for root inclusion, but Mozilla has no commercial interests, pretty
competent security staff, and is already spending lots of staff time
at managing their selection of CA roots. So I think we could do worse
than tracking them closely (and in fact, I'd say we *are*, currently
doing just that -- doing worse).

IMO it would probably be good to limit our CA roots to Mozilla's
libnss selection by default and perhaps add a packaged selection of
secondary CA's (like CACert) for those who are so inclined. And if
Debian's process is somewhat broken, it might be best to try not to
rely on them. It can't be too hard, if Mozilla is already packaging
the certificates somehow.

Cheers,

Dirkjan

Re: [gentoo-dev] Gentoo and Root CAs

[Rich Freeman]

On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc@gentoo.org> wrote:
> On Tue, Jan 1, 2013 at 1:44 AM, Rich Freeman <rich0@gentoo.org> wrote:
>> The certificates that Gentoo distributes have at least been vouched
>> for by somebody who is a part of our community, which is more than can
>> be said for most of the upstream certificates.
>
> And you think "vouched for" by some community member is better than
> Mozilla's audit process, however limiting it may be?

Yes.  It certainly is no worse.  To date I'm not aware of a single
security incident involving a certificate introduced by a Gentoo
maintainer, but I'm certainly aware of a few involving
Mozilla-originated certs.

> (b) actual security of a CA probably goes down
> exponentially as you move towards CA's with a lower level of trust
> placed in them by organizations like Mozilla.

Care to substantiate that claim?  The fact that Mozilla trusts a
certificate does not confer security in and of itself.

> IMO it would probably be good to limit our CA roots to Mozilla's
> libnss selection by default and perhaps add a packaged selection of
> secondary CA's (like CACert) for those who are so inclined. And if
> Debian's process is somewhat broken, it might be best to try not to
> rely on them. It can't be too hard, if Mozilla is already packaging
> the certificates somehow.

I've yet to see any evidence that Debian's process is broken.  There
is simply the claim that Mozilla's process is somehow better.

I could see the logic in requiring regular Gentoo audits for any
certificates we bundle, in which case we likely wouldn't be bundling
any certificates at all (and would be stripping any provided by
upstream).  However, the only thing following the Mozilla process
ensures is that a few commercial entities make lots of money (even if
Mozilla isn't one of them).  For a company with deep pockets like
Mozilla I can see why they do this - even if it provides no security
they can just say they're doing what everybody else is doing and it
will likely hold up in court.  The appearance of security matters more
than actual security to them.

Rich

Re: [gentoo-dev] Gentoo and Root CAs

[Michael Mol]

On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc@gentoo.org> wrote:
> On Tue, Jan 1, 2013 at 1:44 AM, Rich Freeman <rich0@gentoo.org> wrote:
>> The certificates that Gentoo distributes have at least been vouched
>> for by somebody who is a part of our community, which is more than can
>> be said for most of the upstream certificates.
>
> And you think "vouched for" by some community member is better than
> Mozilla's audit process, however limiting it may be?
>
> Yes, the CA system is broken, but it's what we've got for now. It
> seems obvious that including fewer CA roots in our base package is a
> better solution than including more of them, since (a) it's pretty
> easy for our users to install more of them, including at scale (via an
> overlay), and (b) actual security of a CA probably goes down
> exponentially as you move towards CA's with a lower level of trust
> placed in them by organizations like Mozilla.
>
> Speaking of which, say what you will about Mozilla's broken criteria
> for root inclusion, but Mozilla has no commercial interests,

Wait, what? How does taking income during a process not constitute a
commercial interest? That money goes to something that's in the
interest of the Mozilla Foundation, whether it's paying for
infrastructure, paying for developers to do their thing, sponsoring
this, that or the other thing...

Without money Mozilla wouldn't exist, ergo Mozilla is interested in
money, ergo taking money in exchange for bundling a root cert carries
its own interest outside of the security properties of bundling the
root cert.

So if Mozilla has an interest in cert security, and an interest in
money, than including certs for money carries with it an inherent
conflict of interest.

Such as the world is, things cannot be done without money to exchange
for goods and services, so any entity with interests beyond money
needs to manage such a conflict, one way or another. So, the question
comes around to how well the entity manages that conflict of interest,
via things like ombudsmen or independent (how?) audit processes. Or
how it's managed for them, via things like reputation. (And it sounds
to me like Rich is making a strong argument about the reputation
angle, both in favor of vouching, and for observing security problems
with people Mozilla still bundles.)

(That's all I've got for this thread. Going back to lurking.)


--
:wq

Re: [gentoo-dev] Gentoo and Root CAs

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 461 bytes --]

On 1/1/13 2:51 AM, Dirkjan Ochtman wrote:
> IMO it would probably be good to limit our CA roots to Mozilla's
> libnss selection by default and perhaps add a packaged selection of
> secondary CA's (like CACert) for those who are so inclined.

I think that's a good idea: make it easy to only use the Mozilla CA
roots, and also make it easy to use "the other" roots like CACert.

Seems like it could be just a USE flag for affected packages.

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

[gentoo-dev] Re: Gentoo and Root CAs

[Benjamin Peterson]

Michael Mol <mikemol <at> gmail.com> writes:
> On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc <at> gentoo.org> wrote:
> > Speaking of which, say what you will about Mozilla's broken criteria
> > for root inclusion, but Mozilla has no commercial interests,
> 
> Wait, what? How does taking income during a process not constitute a
> commercial interest?

There seems to be some confusion about Mozilla's cert inclusion process. Mozilla
does not make any money by including CA certificates. Per its own policy [1],
"We will not charge any fees to have a CA's certificate(s) distributed with our
software products."

[1] https://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html

Re: [gentoo-dev] Re: Gentoo and Root CAs

[Michael Mol]

On Tue, Jan 1, 2013 at 9:37 PM, Benjamin Peterson <benjamin@python.org> wrote:
> Michael Mol <mikemol <at> gmail.com> writes:
>> On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc <at> gentoo.org> wrote:
>> > Speaking of which, say what you will about Mozilla's broken criteria
>> > for root inclusion, but Mozilla has no commercial interests,
>>
>> Wait, what? How does taking income during a process not constitute a
>> commercial interest?
>
> There seems to be some confusion about Mozilla's cert inclusion process. Mozilla
> does not make any money by including CA certificates. Per its own policy [1],
> "We will not charge any fees to have a CA's certificate(s) distributed with our
> software products."
>
> [1] https://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html

Fair enough. I took Rich's email as an indication they did.



--
:wq

Re: [gentoo-dev] Re: Gentoo and Root CAs

[Rich Freeman]

On Tue, Jan 1, 2013 at 9:49 PM, Michael Mol <mikemol@gmail.com> wrote:
> On Tue, Jan 1, 2013 at 9:37 PM, Benjamin Peterson <benjamin@python.org> wrote:
>> Michael Mol <mikemol <at> gmail.com> writes:
>>> On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc <at> gentoo.org> wrote:
>>> > Speaking of which, say what you will about Mozilla's broken criteria
>>> > for root inclusion, but Mozilla has no commercial interests,
>>>
>>> Wait, what? How does taking income during a process not constitute a
>>> commercial interest?
>>
>> There seems to be some confusion about Mozilla's cert inclusion process. Mozilla
>> does not make any money by including CA certificates. Per its own policy [1],
>> "We will not charge any fees to have a CA's certificate(s) distributed with our
>> software products."
>>
>> [1] https://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
>
> Fair enough. I took Rich's email as an indication they did.

To be trusted by Mozilla you do indeed need to pay substantial sums of
money (in almost all cases), but you don't actually pay them to
Mozilla.  Typically you pay them to an auditor who specializes in such
things, such as webtrust.  The fact that they don't even publish their
fees tells you all you need to know - I've heard they are in the
neighborhood of $10k.

My concern is that the approach chosen by Mozilla (and most other
software distributions produced by large corporations) is mostly about
having lots of paperwork and audting, and is not about actual
security.  If a certificate authority has a pile of paperwork saying
they operate one way, it won't stop them from issuing certificates to
the NSA or whoever if they get a national security letter, or the
equivalent in one of the 400 other jurisdictions that these companies
reside in (many of which make the Patriot Act seem quite tame).

And that is just considering cases where the CA cooperates with legal
authorities.  Factor in incompetence and just about anything can
happen.  Incompetence happens in industries that have heavy government
scrutiny, such as in pharmaceuticals and aircraft maintenance.
Certificate authorities are almost completely unregulated in
comparison.

Basically the whole system is one big CYA maneuver.  DNSSEC is far
more promising as a certificate distribution system, and the legacy
SSL system really is just standing in the way.

Rich

Re: [gentoo-dev] Gentoo and Root CAs

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 1154 bytes --]

On Monday 31 December 2012 19:44:32 Rich Freeman wrote:
> The certificates that Gentoo distributes have at least been vouched
> for by somebody who is a part of our community, which is more than can
> be said for most of the upstream certificates.

mmm, Gentoo ships ca-certificates which comes directly from Debian.  when 
people request modification (add/remove/whatever), we bounce them to Debian.  
we specifically don't want to deal with this mess and instead "unload" it onto 
Debian :).

we don't modify openssl in any way wrt cert management.  it uses the certs the 
user themselves have installed, or other packages have installed into 
/etc/ssl/ (which atm is just ca-certificates afaik).

as for nss, i can't vouch for it directly since i haven't worked on it.  a 
cursory glance looks like we add cacert.org and spi (software in the public 
interest) root certs.  i don't know if it's possible, but it seems like nss 
should just look in the common /etc/ssl store.  either way, i don't see a 
problem here.

i don't know much about gnutls, but it doesn't seem like we do anything there 
other than package it up.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]