From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EDE00138216 for ; Tue, 1 Jan 2013 10:52:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 15A2C21C009; Tue, 1 Jan 2013 10:52:26 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6F8E2E0639 for ; Tue, 1 Jan 2013 10:51:52 +0000 (UTC) Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: djc) by smtp.gentoo.org (Postfix) with ESMTPSA id 6485A33D74E for ; Tue, 1 Jan 2013 10:51:51 +0000 (UTC) Received: by mail-ob0-f177.google.com with SMTP id uo13so11890365obb.8 for ; Tue, 01 Jan 2013 02:51:49 -0800 (PST) Received: by 10.182.98.19 with SMTP id ee19mr35679242obb.90.1357037509427; Tue, 01 Jan 2013 02:51:49 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.76.75.197 with HTTP; Tue, 1 Jan 2013 02:51:29 -0800 (PST) In-Reply-To: References: <20121231144238.GA86695@kaini.schwarzvogel.de> From: Dirkjan Ochtman Date: Tue, 1 Jan 2013 11:51:29 +0100 Message-ID: Subject: Re: [gentoo-dev] Gentoo and Root CAs To: Gentoo Development Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 16ade0c1-f292-438e-ab77-93411a4af7a1 X-Archives-Hash: 929792f734c5f47a44b92a236fbd0581 On Tue, Jan 1, 2013 at 1:44 AM, Rich Freeman wrote: > The certificates that Gentoo distributes have at least been vouched > for by somebody who is a part of our community, which is more than can > be said for most of the upstream certificates. And you think "vouched for" by some community member is better than Mozilla's audit process, however limiting it may be? Yes, the CA system is broken, but it's what we've got for now. It seems obvious that including fewer CA roots in our base package is a better solution than including more of them, since (a) it's pretty easy for our users to install more of them, including at scale (via an overlay), and (b) actual security of a CA probably goes down exponentially as you move towards CA's with a lower level of trust placed in them by organizations like Mozilla. Speaking of which, say what you will about Mozilla's broken criteria for root inclusion, but Mozilla has no commercial interests, pretty competent security staff, and is already spending lots of staff time at managing their selection of CA roots. So I think we could do worse than tracking them closely (and in fact, I'd say we *are*, currently doing just that -- doing worse). IMO it would probably be good to limit our CA roots to Mozilla's libnss selection by default and perhaps add a packaged selection of secondary CA's (like CACert) for those who are so inclined. And if Debian's process is somewhat broken, it might be best to try not to rely on them. It can't be too hard, if Mozilla is already packaging the certificates somehow. Cheers, Dirkjan