From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4DB201382C5 for ; Wed, 2 Jun 2021 07:48:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4BD8FE0827; Wed, 2 Jun 2021 07:48:41 +0000 (UTC) Received: from mail.webarch.email (mail.webarch.email [81.95.52.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AE2A1E07AE for ; Wed, 2 Jun 2021 07:48:40 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id DC5D61A849A5 for ; Wed, 2 Jun 2021 08:48:31 +0100 (BST) Date: Wed, 02 Jun 2021 07:48:23 +0000 From: Fannys To: "gentoo-user@lists.gentoo.org" Subject: Re: [gentoo-user] app-misc/ca-certificates Message-ID: <13496721-FF58-400B-9045-64C624A6F844@pretty.Easy.privacy> In-Reply-To: <5f29a4f8-a1a5-9f4a-1fe2-f06172da8e6b@spamtrap.tnetconsulting.net> References: <20210529030839.123d8526@melika.host77.tld> <5480288.DvuYhMxLoT@iris> <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au> <1cc069e9-b708-c994-ca93-dc0a2d77f8f9@spamtrap.tnetconsulting.net> <5f29a4f8-a1a5-9f4a-1fe2-f06172da8e6b@spamtrap.tnetconsulting.net> X-pEp-Version: 2.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----BBHG0QLAR1VVZUPBF1Q761NPGRPWRK" Content-Transfer-Encoding: 7bit X-Last-TLS-Session-Version: TLSv1.2 X-Archives-Salt: 4f86a743-080f-4325-82b5-ba258e241651 X-Archives-Hash: 48c7fe7c65d2531273a9d8b8d910f7b1 ------BBHG0QLAR1VVZUPBF1Q761NPGRPWRK Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 On June 2, 2021 1:51:06 AM UTC, Grant Taylor wrote: >On 6/1/21 3:38 PM, Michael Orlitzky wrote: >> *Any* CA can just generate a new key and sign the corresponding=20 >> certificate=2E > >This is where what can /technically/ be done diverges from what is=20 >/allowed/ to be done=2E > >CAs adhering to the CA/B Forum's requirements on CAA records mean that=20 >they aren't allowed to issue a certificate for a domain that doesn't=20 >list them in the CAA record=2E > >If a CA violates the CAA record requirement, then the CA has bigger=20 >issues and will be subject to distrusting in mass=2E > >Certificate Transparency logs make it a lot easier to identify if such=20 >shenanigans are done=2E -- I think that the CA/B Forum is also >requiring=20 >C=2ET=2E Logs=2E > >Also, CAs /should/ *NOT* be generating keys=2E The keys should be=20 >generated by the malicious party trying to pull the shenanigans that=20 >you're talking about=2E > >> All browsers will treat their fake certificate corresponding to the=20 >> fake key on their fake web server as completely legitimate=2E The >"real"=20 >> original key that you generated has no special technical properties=20 >> that distinguish it=2E > >Not /all/ browsers=2E I know people that have run browser extensions to= =20 >validate the TLS certificate that they receive against records >published=20 >via DANE in DNS, which is protected by DNSSEC=2E So it's effectively=20 >impossible for a rogue CA and malicious actor to violate that chain of=20 >trust in a way that can't be detected and acted on=2E From=20my understanding its all based on trust and faith unless I take steps= from my side=2E That doesnt seem very safe=2E Tech should be based on tech=2E Not faith and trust on the other party=2E Marinus ------BBHG0QLAR1VVZUPBF1Q761NPGRPWRK Content-Type: application/pgp-keys; name="pEpkey.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="pEpkey.asc"; size=2208 LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4c0JOQkdDWG8zUUJDQURCM3Rk TkNHZWQwd0VZZCt2TlpKL2FBQlllNklXemNpK1d0L2ZqV01YVkhENnBJMnVqCndUYVVHUzMwT0xS cnJwVU5uRHhyTjBLQWh4aTFtbFdLck0ycCtwQzlNTTg3OVNZWUVUU0lZazFMeUZqaENQajIKd0Yw cWxjdi93THZEOTFUQVZRQ0Jkb1RPZzg4aHl4cHRMYVBJSXBiSXlXTkFvdXZNazE3akxrVkg4Z1Rn Slg4cApqZTBGcXpnNnlndDV3d1lOdndPcUhOSS9JL29rTlRzU0RTNm9xeUd4dFFqTHhNYXgyRGlj R1NPZ3pSS3J3MVlDClhaRlNVSTFSRGh5K1lvQWN4TXVSMUp3OG1hczNPcjF3WDAyRFdIblh6YVRx NG9CU2VXYWYwQXhRZnZwY1NYRDkKdXpoTmIyYlZ3WFJLdU9kNEhrNHhBODdsMDVhMUdvdERNeEtG QUJFQkFBSEN3SWNFSHdFS0FEc0ZnbUNYbzNRRgppUVdmcGdBREN3a0hDUkRTQUdZb0F3MDlJQU1W Q2dnQ213TUNIZ0VXSVFSSlZ0OE1hUHpsUmkvaGFValNBR1lvCkF3MDlJQUFBcHNZSUFMTnYxQkdx ZzVhU3p3UnRRdnMzQm9RZTNBYTRINnltL0owYm0vWDIrbFpEWG5hRnJyaDEKWERreE0wc1QrUm1X anVZRFhhOHNoLzdoNFdBb2JuL3paK3M0V1AvdU1KVHU0RTlENkF4cHVSeXBGOG5nd0g3dwpqNTVx MStRYXhNL3RrNG5DQTVCNmlKOC9FK1JIcmhLUlBORFQ1b3ZjcUFjZ2M0ejZlZXk1aGtPdzlzaFdY NXNiCkMrK3FXMzlRbysza0M4KzhvV0I2YXlIaklGM3VKVlBKc2RLUkVaWCtXRUVnWHh4ZW5yaXlY S2ozUW40S2R3MjcKd3dFemVTRXFZOTQvdENxdFBTSGFHL0RtWjA5cWdNSGcrM0pMT0VuL0RkOVlJ V013RUthZFFSdnNQU3ByWGFadApjK0JxTHpsSEFEdy8raXZ4UnJoUzVTZWZnTDhkSUhlOS9YVE5K MFpoYm01bmN5QThiV0Z5YVc1MWN5NXpZWFp2CmNtbDBhV0Z6UUc5bGVtaGhlV3d1WkdWMlBzTEFp Z1FUQVFvQVBnV0NZSmVqZEFXSkJaK21BQU1MQ1FjSkVOSUEKWmlnRERUMGdBeFVLQ0FLWkFRS2JB d0llQVJZaEJFbFczd3hvL09WR0wrRnBTTklBWmlnRERUMGdBQUN3VUFnQQpnRHk4SE4veFgwRWVR TmFmcjk0YXhsbEx2aFJ6L1pPWDhOajgwZHVXU3h3Y2lZaFRETi9PTTRPdWlDMWhJdVRICkZqMGpN VEVnTU5Hb3pwSkJ0T3l5QTVaOEd3K3hXQmVWMUxIN1Z3Nmp1cVR6MndDMWQ2anNwMkxzU05BUVhk bUoKZjdnbWtoMEJuaTFhS1B4V0t5YkNEZGt1ZHF2VXdqS3pBR2MxRlM1d0ZOY1c1RGpnMFNGUmVp WXFsVTJxeWRpYwpCbEdscXpET1ZHa0RpZ3ZnZ2JJQTBQSHZWeTd3UmNlUFFRNXVkOXp0K1drdXFX dDBJS0dRY0FaVEVWQUNQWmRUCkQxWE9rS0RtZFBqS3hYaFo0RURzNW5zVXppSXcvNStuNGRGREgz T0VRUFRIQzhWZzFNdUdkcG13Zzk1NlVscXIKK25yWWFDckU0akY4ZGRoNUdLNm16TTdBVFFSZ2w2 TjBBUWdBdXFkb0lJODV0NXozVXd6aUlOOXg2UFhzYXhJMgp5VTNjZGFaVHdBQW53TVJ2RlE0dVBs cFFwWVV0RHNGRFVqUE12UHZJMGJ6Uyt5eUhtTm1PSmtCY2MwUVEzd2ppCjdmYUlrWDdrbXVTUHZv Y1ZLRGQ0YTZnbDcyOFNPbGMySGE0QXdJdlY5TFR5R2NBMjJrbFROb2p1OHVSaWpaUk0KVzZkY0Fj eUtLK25hdXlrN2ZSZ0tUQi8zTUc2T0ZqMEpURXNoSGQyZXFHTWQ2a0hrTlpMc2YxWmVobGxnU05Z WApCNnh1SUFOM0RBRjdlOVZxbHhjb09UeW1uSUtFVzJXb3JCK0s1QlNyUGlHYW5nQTk5TWNFSEkx MGpDaW9LSk1LClNtNjNmU2tQWUV6WEF0NTUrYWQycWxPUDBCb1hweHRVazRveVVsazBHRTRzOHAv aXhiR29OVkgvMXdBUkFRQUIKd3NCL0JCZ0JDZ0F6QllKZ2w2TjBCWWtGbjZZQUNSRFNBR1lvQXcw OUlBS2JEQUllQVJZaEJFbFczd3hvL09WRwpMK0ZwU05JQVppZ0REVDBnQUFBbWV3Zi9jeFd2UG52 Rm5ab1MrUmh1dVA3Rjd4L2NTZFVJRTFGY2ZDQm4vMEFZClhkSVo4cHNCdHdOcGVZUjVTSGFjY0tH Y0ptaUhPNXNLcGRackkrZVZpMkRuT2loUUl1Y0VFdm1uMDlEQWNINFAKZFJxQmtYei9RQlBhOU1r bDdOWXpuQ21xZy80UnY5UUJ4WDNjZzQ3YUMybzVUNE00a054MEdCYlBQSUF5My9sTwpKbFRQTVVD R1hDYUtvdnVlQjA1cTlwbDdRbFh3YmN1bE5pTUF2Z0g2MlIxbm5OTGtVMXVtY2w2MXI0WDlBb0Ju CmJXQTMwRUtaYUFlZEtMcVdmTGN6OTR0b2JyZE1RYnp5WW5VcXhBOWFhU1NMeEpJWnVSSkFieE5l MGpIeTJVd2QKbGYrcEIreG9PMGtjMGxMRUc3NldtTXZuZFdNWkhCOXJXWEJwc2NyVjNuU1JkZz09 Cj03WXVvCi0tLS0tRU5EIFBHUCBQVUJMSUMgS0VZIEJMT0NLLS0tLS0K ------BBHG0QLAR1VVZUPBF1Q761NPGRPWRK--