From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 663A41382C5 for ; Tue, 1 Jun 2021 05:15:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B28C3E086D; Tue, 1 Jun 2021 05:15:18 +0000 (UTC) Received: from icp-osb-irony-out3.external.iinet.net.au (icp-osb-irony-out3.external.iinet.net.au [203.59.1.153]) by pigeon.gentoo.org (Postfix) with ESMTP id A4640E0844 for ; Tue, 1 Jun 2021 05:15:16 +0000 (UTC) X-SMTP-MATCH: 0 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AXBeZha2cWT7oJhwfHYjHcQqjBLYkLtp133?= =?us-ascii?q?Aq2lEZdPU1SL3gqynKpp8mPHDP+VUssR0b+OxoW5PvfZq/z+8R3WB5B97LNm?= =?us-ascii?q?WIhILBFvAH0WKI+UyDJ8SRzI5gPQoKScVD4FqaNykdsS4vizPIdOod/A=3D?= =?us-ascii?q?=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2CWEAD+wbVg/0tM69xaHgEBCxIMQAm?= =?us-ascii?q?EcFYBAQFphEiJBIcfAQEBAQEBBoESLQM4AVSDKIYPEIZBjCELAQEBAQEBAQE?= =?us-ascii?q?BCTUMBAEBhFACgX8mOBMCBBUBAQEFAQEBAQEGAwGBBIVoDYZFAQUjMzMLGAI?= =?us-ascii?q?CJgICITYTBgIBAXGBfAGCVQMJJRCoZ4EygQE7gxABgRiCUw2CPwaBECqNakN?= =?us-ascii?q?9gRCBFScPgjY2PoIgQgGBTWGCSoJkBIJAgRYrFwtjGoEHH5EPjURZnANbgyO?= =?us-ascii?q?KDo4HgkeCewUNBSWDXpEOCJBkl1+JfYMkj0mFSYEyOYF9TR8ZgyRQGQ6SD4F?= =?us-ascii?q?/iGw0AQEBLzgCBgoBAQMJiSSCNgEB?= X-IPAS-Result: =?us-ascii?q?A2CWEAD+wbVg/0tM69xaHgEBCxIMQAmEcFYBAQFphEiJB?= =?us-ascii?q?IcfAQEBAQEBBoESLQM4AVSDKIYPEIZBjCELAQEBAQEBAQEBCTUMBAEBhFACg?= =?us-ascii?q?X8mOBMCBBUBAQEFAQEBAQEGAwGBBIVoDYZFAQUjMzMLGAICJgICITYTBgIBA?= =?us-ascii?q?XGBfAGCVQMJJRCoZ4EygQE7gxABgRiCUw2CPwaBECqNakN9gRCBFScPgjY2P?= =?us-ascii?q?oIgQgGBTWGCSoJkBIJAgRYrFwtjGoEHH5EPjURZnANbgyOKDo4HgkeCewUNB?= =?us-ascii?q?SWDXpEOCJBkl1+JfYMkj0mFSYEyOYF9TR8ZgyRQGQ6SD4F/iGw0AQEBLzgCB?= =?us-ascii?q?goBAQMJiSSCNgEB?= X-IronPort-AV: E=Sophos;i="5.83,239,1616428800"; d="scan'208";a="332396525" Received: from 220-235-76-75.dyn.iinet.net.au (HELO mail.infra.localdomain) ([220.235.76.75]) by icp-osb-irony-out3.iinet.net.au with ESMTP; 01 Jun 2021 13:15:05 +0800 Received: from localhost (mail.infra.localdomain [127.0.0.1]) by mail.infra.localdomain (Postfix) with ESMTP id C780D1AD67D8 for ; Tue, 1 Jun 2021 13:15:05 +0800 (AWST) X-Virus-Scanned: amavisd-new at localdomain Received: from mail.infra.localdomain ([127.0.0.1]) by localhost (mail.infra.localdomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z4vqxj59c9cX for ; Tue, 1 Jun 2021 13:15:00 +0800 (AWST) Subject: Re: [gentoo-user] app-misc/ca-certificates To: gentoo-user@lists.gentoo.org References: <20210529030839.123d8526@melika.host77.tld> <5480288.DvuYhMxLoT@iris> From: William Kenworthy Message-ID: <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au> Date: Tue, 1 Jun 2021 13:15:00 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <5480288.DvuYhMxLoT@iris> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-AU X-Archives-Salt: 183ac20d-4603-4fa5-be66-a01984286ed7 X-Archives-Hash: 47113e6bf8762a4cbebc0baa5bdb48b1 On 1/6/21 12:45 pm, J. Roeleveld wrote: > On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: >> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@gmail.com wrote >> >>> 125 config files in /etc/ssl/certs needs update. >>> >>> For certificates I would expect the old and invalid ones to be replaced >>> by newer ones without user intervention. >> Looking through them is "interesting". There seem to be a lot of >> /etc/ssl/certs/????????.0 files, where "?" is either a random number or >> a lower case letter. These all seem to be symlinks to >> /etc/ssl/certs/.pem. Each of those files is in turn a >> symlink to /usr/share/ca-certificates/mozilla/.crt. How much >> do we trust China? There are a couple of certificates in there named >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any >> other suspicious regimes in there? > I've always wondered about the amount of CAs that are auto-trusted on any > system. Including several from countries with serious human rights issues. > > I could do with a tool where I can easily select which CAs to trust based on > country. > > -- > Joost And another "wondering" - all the warnings about trusting self signed certs seem a bit self serving. Yes, they are trying to certify who you are, but at the expense of probably allowing access to your communications by "authorised parties" (such as commercial entities purchasing access for MITM access - e.g. certain router/firewall companies doing deep inspection of SSL via resigning or owning both end points). If its only your own communications and not with a third, commercial party self signed seems a lot more secure. Getting a bit OT, but interesting none the less. BillK Ref: https://checkthefirewall.com/blogs/fortinet/ssl-inspection https://us-cert.cisa.gov/ncas/alerts/TA17-075A