From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2692A1382C5 for ; Wed, 2 Jun 2021 07:23:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 77261E088A; Wed, 2 Jun 2021 07:23:04 +0000 (UTC) Received: from gw1.antarean.org (gw1.antarean.org [194.145.200.214]) by pigeon.gentoo.org (Postfix) with ESMTP id 0B504E081A for ; Wed, 2 Jun 2021 07:23:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by gw1.antarean.org (Postfix) with ESMTP id 4Fw0Xd0T6dz10xh for ; Wed, 2 Jun 2021 09:10:09 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from gw1.antarean.org ([127.0.0.1]) by localhost (gw1.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDajtLj8xRS5 for ; Wed, 2 Jun 2021 09:10:08 +0200 (CEST) Received: from mailstore1.adm.antarean.org (localhost [127.0.0.1]) by gw1.antarean.org (Postfix) with ESMTP id 4Fw0Xc4gNfzygK for ; Wed, 2 Jun 2021 09:10:08 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mailstore1.adm.antarean.org (Postfix) with ESMTP id 4Fw0qV2GHdz15 for ; Wed, 2 Jun 2021 09:23:02 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from mailstore1.adm.antarean.org ([127.0.0.1]) by localhost (mailstore1.adm.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ROWqqgUWMFQ for ; Wed, 2 Jun 2021 09:23:02 +0200 (CEST) Received: from iris.localnet (iris.adm.antarean.org [10.55.16.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailstore1.adm.antarean.org (Postfix) with ESMTPSA id 4Fw0qV02Dvzj for ; Wed, 2 Jun 2021 09:23:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antarean.org; s=default; t=1622618582; bh=jCvOYbTLar4qAOejVbAUgroV1HlAmGxPZZwPKZN9tyo=; h=From:To:Subject:Date:In-Reply-To:References; b=JsAlb3x6biiW7Yw2DC1jSik0m0WIbsAafX1vDUChlwqjZuUpbIZR1ic2RZWCR+cbN rqCN8hS6Lur902N0VcU+p0ew18edwrN63eNp9HW5IWUzd2QYNr+Liu7B1mJ0JluOma Agrv0F4nmWR7JGD3NdvyvW3Ed857fk9Kc9mwQoBM= From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] app-misc/ca-certificates Date: Wed, 02 Jun 2021 09:23:01 +0200 Message-ID: <5467960.DvuYhMxLoT@iris> In-Reply-To: <5329FDAF-AA34-4B30-85CF-BBFA907B2EE7@pretty.Easy.privacy> References: <20210529030839.123d8526@melika.host77.tld> <5480288.DvuYhMxLoT@iris> <5329FDAF-AA34-4B30-85CF-BBFA907B2EE7@pretty.Easy.privacy> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Archives-Salt: d8533183-6d1c-4e1c-8ae1-13ef18d81ab8 X-Archives-Hash: 4b876e79baf54ff217e88a053c728351 On Wednesday, June 2, 2021 12:28:49 AM CEST Fannys wrote: > On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" wrote: > >On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: > >> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@gmail.com wrote > >> > >> > 125 config files in /etc/ssl/certs needs update. > >> > > >> > For certificates I would expect the old and invalid ones to be > > > >replaced > > > >> > by newer ones without user intervention. > >> > > >> Looking through them is "interesting". There seem to be a lot of > >> > >> /etc/ssl/certs/????????.0 files, where "?" is either a random number > > > >or > > > >> a lower case letter. These all seem to be symlinks to > >> /etc/ssl/certs/.pem. Each of those files is in turn a > >> symlink to /usr/share/ca-certificates/mozilla/.crt. How > > > >much > > > >> do we trust China? There are a couple of certificates in there named > >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and > >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any > >> other suspicious regimes in there? > > > >I've always wondered about the amount of CAs that are auto-trusted on > >any > >system. Including several from countries with serious human rights > >issues. > > > >I could do with a tool where I can easily select which CAs to trust > >based on > >country. > > > >-- > >Joost > > Is there actually any tool that can let me pick my certificates? > If i go and start deleting randomly certificates from regimes i dont like > will there be any "breaking change"? I suppose firefox uses its own > certificate store though. If the CA is removed from your system/app/..., any key signed by that CA will be seen as "untrusted" (treated as if self-signed) and you need to go through the usual hoops to allow that certificate to be used. -- Joost