From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Handling of TrustCor Systems' root CAs Date: Thu, 10 Nov 2022 10:39:09 +0000 Message-ID: <228fd6b3-d126-45b3-8d8b-e074133b8c37@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3120949608844655564==" List-Id: --===============3120949608844655564== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello development folks, well, I always hate it when the concerns expressed in blog posts of mine come= true. Alas, in case of the last one on DANE (https://blog.ipfire.org/post/global-pk= i-considered-harmful-a-plaidoyer-for-using-dane), we now seem to have another textbook incident of a trusted, but rogue CA oper= ator likely providing TLS surveillance capabilities to government entities: https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addres= ses-government-connections/ Mozilla stated that it is currently investigating into TrustCor Systems' natu= re, and would remove its root certificates from its trust store if questions sent to = TrustCore are not answered in a satisfying manner by November 22. We are probably not going to have a Core Update released before this date. Al= so, as much as I would like to remove TrustCor Systems' certificates from the trust = store we ship, this would be a slippery slope: First, we would have _another_ thing= we have to maintain our own, and second, there are plenty of other dubious root CAs o= ut there - where do we draw the line? (To be honest, I am a bit surprised to see such TLS surveillance activity bei= ng carried out through dedicated root CAs - to the best of my understanding, pro= curing a trusted intermediate CA would have been a more stealthy approach.) I guess this leaves us with watching Mozilla's trust store closely, and adapt= their changes before releasing the next Core Update. Any opinions? Thanks, and best regards, Peter M=C3=BCller --===============3120949608844655564==--