From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-196155-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id AC6581382C5
	for <garchives@archives.gentoo.org>; Thu,  3 Jun 2021 09:06:39 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 54836E086B;
	Thu,  3 Jun 2021 09:06:35 +0000 (UTC)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id F1F28E0826
	for <gentoo-user@lists.gentoo.org>; Thu,  3 Jun 2021 09:06:34 +0000 (UTC)
Received: by mail-ot1-x336.google.com with SMTP id 69-20020a9d0a4b0000b02902ed42f141e1so5129236otg.2
        for <gentoo-user@lists.gentoo.org>; Thu, 03 Jun 2021 02:06:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=4SdurRlqbQpLhRn496Mmqg1k57cKs/Zl1q6iH4dnOoc=;
        b=tDmfRzrBooKZ0c123Jug6BDbmOJUQqX/LFMSBUb8h69e7y9T9ASMsSIO6LEIdFneag
         udqFTxGQD8esJhEcYKt5yXg9gaRpSjeObL+dxC8uQOIxqnsAbnWExa/4n5IPan89aI/7
         +lJMWvZrNO3XV3IEOUYw7/IPuTFwS554qcbzBmuIjlH/TnttA/y3Hcp6WZFrCbSICJTJ
         tkw2hD/67eKR7FP1KW9DRSEjqK7wXe8ONfRsqdNfdhPe+IxmRRL0Li27FqhjhWHCRz9q
         cLR6TQI8p+OMdL2eWXbnodrcJRrmPC78uG8QGpp0smptGruVKV5Qs43tkkXAyHg9rX+D
         Si0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=4SdurRlqbQpLhRn496Mmqg1k57cKs/Zl1q6iH4dnOoc=;
        b=JocYVEYlhYPd4Vnc9RsnTEWCRGyxLIj8AV1RYPiFxLK7Drnls4P5B1KWC5DmgKOLhb
         YC5TW6NdYdiNj0lNtlykabgFzlwLxt9h6FdjXcePZOqqjX68w+65E/4odzoaxaVenSrX
         mREU9ADfcH2iT9iY6U9qXjU7yFbf5m3GvVxxyyd14GxeA5fa6Wd2f/LhxyDnjQM8d5c6
         Q+BEZOMNkVIMqttoiGIHxSUhFtwP4VjqNPnE9be3n+i2owtyejfOA/VMCvv2zhF8Y1ho
         gQJ22frYTvkFoqgNKcm1dMSuQbXz9dDkVneSkmBR0GP9rUIwwkSbMBedoTUKuftT64Q1
         Vd8Q==
X-Gm-Message-State: AOAM531B9rTXPrCtashGtrov5XQFRAeQ2sXz1KNDoBgimECrtaS5wVKx
	PQQmi53//aCnA++9WPJZO3DwLUkkJxNxcCRJrvxP/3Hq
X-Google-Smtp-Source: ABdhPJxC9j8OoszaSZDj6WlGgh7ggRK4g0bFS0sSiJbHcuyUBspKLL3h7Ja6CjcXCX0KuzAdqLPCGGwNY5V9TCWhVx8=
X-Received: by 2002:a05:6830:1307:: with SMTP id p7mr28784649otq.210.1622711192909;
 Thu, 03 Jun 2021 02:06:32 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
References: <20210529030839.123d8526@melika.host77.tld> <YLHesQZxAxw+TftG@waltdnes.org>
 <5480288.DvuYhMxLoT@iris> <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au>
 <CAC=wYCFDkSkHuCKF_GSUFVWZxVNiTNduH1HvFLQ3cmQYgrTcYg@mail.gmail.com> <CAGfcS_kDzG_uQyAw_oBv75eLsjQ-9k7yFnJntyE_k6Z72T80hQ@mail.gmail.com>
In-Reply-To: <CAGfcS_kDzG_uQyAw_oBv75eLsjQ-9k7yFnJntyE_k6Z72T80hQ@mail.gmail.com>
From: Adam Carter <adamcarter3@gmail.com>
Date: Thu, 3 Jun 2021 19:06:21 +1000
Message-ID: <CAC=wYCHDq0Ft254nYTt2s8kchd-GwBdoNzSun9zY0XOvb5C1DQ@mail.gmail.com>
Subject: Re: [gentoo-user] app-misc/ca-certificates
To: Gentoo User <gentoo-user@lists.gentoo.org>
Content-Type: multipart/alternative; boundary="00000000000039fcc405c3d8e4af"
X-Archives-Salt: 21a137b2-3454-4cb7-91f1-ad660d564833
X-Archives-Hash: ebb36842c304550bae16bbcef6d75731

--00000000000039fcc405c3d8e4af
Content-Type: text/plain; charset="UTF-8"

On Tue, Jun 1, 2021 at 11:29 PM Rich Freeman <rich0@gentoo.org> wrote:

> On Tue, Jun 1, 2021 at 7:59 AM Adam Carter <adamcarter3@gmail.com> wrote:
> >>
> >> And another "wondering" - all the warnings about trusting self signed
> >> certs seem a bit self serving. Yes, they are trying to certify who you
> >> are, but at the expense of probably allowing access to your
> >> communications by "authorised parties" (such as commercial entities
> >> purchasing access for MITM access - e.g. certain router/firewall
> >> companies doing deep inspection of SSL via resigning or owning both end
> >> points).
> >
> > AFAIK in an enterprise MITM works by having a local CA added to the cert
> stores of the workstation fleet, and having that CA auto generate the certs
> for MITM. That didn't work with certificate pinning, but pinning has been
> deprecated.
>
> So, I don't know all the ways that pinning is implemented, but if
> you're talking about using MITM to snoop on enterprise devices on the
> enterprise network I'd think that pinning wouldn't be an issue,
> because you control the devices from cradle to grave.  Just ensure the
> pinned certificates are the ones that let you MITM the connections.
>

After seeing Grant's mention of CAA records I think I may have conflated
pinning with them, or perhaps there were some special controls in Chrome to
check that google certs were issued by the correct CA? Sorry i'm not clear
on this now (and may have never been).

--00000000000039fcc405c3d8e4af
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"></div><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Tue, Jun 1, 2021 at 11:29 PM Rich Freeman =
&lt;<a href=3D"mailto:rich0@gentoo.org">rich0@gentoo.org</a>&gt; wrote:<br>=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, Jun 1, 2021=
 at 7:59 AM Adam Carter &lt;<a href=3D"mailto:adamcarter3@gmail.com" target=
=3D"_blank">adamcarter3@gmail.com</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; And another &quot;wondering&quot; - all the warnings about trustin=
g self signed<br>
&gt;&gt; certs seem a bit self serving. Yes, they are trying to certify who=
 you<br>
&gt;&gt; are, but at the expense of probably allowing access to your<br>
&gt;&gt; communications by &quot;authorised parties&quot; (such as commerci=
al entities<br>
&gt;&gt; purchasing access for MITM access - e.g. certain router/firewall<b=
r>
&gt;&gt; companies doing deep inspection of SSL via resigning or owning bot=
h end<br>
&gt;&gt; points).<br>
&gt;<br>
&gt; AFAIK in an enterprise MITM works by having a local CA added to the ce=
rt stores of the workstation fleet, and having that CA auto generate the ce=
rts for MITM. That didn&#39;t work with certificate pinning, but pinning ha=
s been deprecated.<br>
<br>
So, I don&#39;t know all the ways that pinning is implemented, but if<br>
you&#39;re talking about using MITM to snoop on enterprise devices on the<b=
r>
enterprise network I&#39;d think that pinning wouldn&#39;t be an issue,<br>
because you control the devices from cradle to grave.=C2=A0 Just ensure the=
<br>
pinned certificates are the ones that let you MITM the connections.<br></bl=
ockquote><div><br></div><div>After seeing Grant&#39;s mention of CAA record=
s I think I may have conflated pinning with them, or perhaps there were som=
e special controls in Chrome to check that google certs were issued by the =
correct CA? Sorry i&#39;m not clear on this now (and may have never been).<=
br></div></div></div>

--00000000000039fcc405c3d8e4af--