Handling of TrustCor Systems' root CAs

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1544 bytes --]

Hello development folks,

well, I always hate it when the concerns expressed in blog posts of mine come true.
Alas, in case of the last one on DANE (https://blog.ipfire.org/post/global-pki-considered-harmful-a-plaidoyer-for-using-dane),
we now seem to have another textbook incident of a trusted, but rogue CA operator
likely providing TLS surveillance capabilities to government entities:
https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/

Mozilla stated that it is currently investigating into TrustCor Systems' nature, and
would remove its root certificates from its trust store if questions sent to TrustCore
are not answered in a satisfying manner by November 22.

We are probably not going to have a Core Update released before this date. Also, as
much as I would like to remove TrustCor Systems' certificates from the trust store
we ship, this would be a slippery slope: First, we would have _another_ thing we have
to maintain our own, and second, there are plenty of other dubious root CAs out there -
where do we draw the line?

(To be honest, I am a bit surprised to see such TLS surveillance activity being
carried out through dedicated root CAs - to the best of my understanding, procuring
a trusted intermediate CA would have been a more stealthy approach.)

I guess this leaves us with watching Mozilla's trust store closely, and adapt their
changes before releasing the next Core Update.

Any opinions?

Thanks, and best regards,
Peter Müller