public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] app-misc/ca-certificates
  @ 2021-06-02  7:23 99%     ` J. Roeleveld
  0 siblings, 0 replies; 1+ results
From: J. Roeleveld @ 2021-06-02  7:23 UTC (permalink / raw
  To: gentoo-user

On Wednesday, June 2, 2021 12:28:49 AM CEST Fannys wrote:
> On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" <joost@antarean.org> wrote:
> >On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote:
> >> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@gmail.com wrote
> >> 
> >> > 125 config files in /etc/ssl/certs needs update.
> >> > 
> >> > For certificates I would expect the old and invalid ones to be
> >
> >replaced
> >
> >> > by newer ones without user intervention.
> >> > 
> >>   Looking through them is "interesting".  There seem to be a lot of
> >> 
> >> /etc/ssl/certs/????????.0 files, where "?" is either a random number
> >
> >or
> >
> >> a lower case letter.  These all seem to be symlinks to
> >> /etc/ssl/certs/<Some_Name>.pem.  Each of those files is in turn a
> >> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt.  How
> >
> >much
> >
> >> do we trust China?  There are a couple of certificates in there named
> >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt  and
> >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt.  Any
> >> other suspicious regimes in there?
> >
> >I've always wondered about the amount of CAs that are auto-trusted on
> >any
> >system. Including several from countries with serious human rights
> >issues.
> >
> >I could do with a tool where I can easily select which CAs to trust
> >based on
> >country.
> >
> >--
> >Joost
> 
> Is there actually any tool that can let me pick my certificates?
> If i go and start deleting randomly certificates from regimes i dont like
> will there be any "breaking change"? I suppose firefox uses its own
> certificate store though.

If the CA is removed from your system/app/..., any key signed by that CA will 
be seen as "untrusted" (treated as if self-signed) and you need to go through 
the usual hoops to allow that certificate to be used.

--
Joost




^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-05-29  1:08     [gentoo-user] app-misc/ca-certificates zcampe
2021-06-01  4:45     ` J. Roeleveld
2021-06-01 22:28       ` Fannys
2021-06-02  7:23 99%     ` J. Roeleveld

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox