From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Handling of TrustCor Systems' root CAs Date: Thu, 10 Nov 2022 14:17:33 +0000 Message-ID: In-Reply-To: <228fd6b3-d126-45b3-8d8b-e074133b8c37@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7871047005891273720==" List-Id: --===============7871047005891273720== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Peter, > On 10 Nov 2022, at 10:39, Peter M=C3=BCller wr= ote: >=20 > Hello development folks, >=20 > well, I always hate it when the concerns expressed in blog posts of mine co= me true. > Alas, in case of the last one on DANE (https://blog.ipfire.org/post/global-= pki-considered-harmful-a-plaidoyer-for-using-dane), > we now seem to have another textbook incident of a trusted, but rogue CA op= erator > likely providing TLS surveillance capabilities to government entities: > https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addr= esses-government-connections/ >=20 > Mozilla stated that it is currently investigating into TrustCor Systems' na= ture, and > would remove its root certificates from its trust store if questions sent t= o TrustCore > are not answered in a satisfying manner by November 22. >=20 > We are probably not going to have a Core Update released before this date. = Also, as > much as I would like to remove TrustCor Systems' certificates from the trus= t store > we ship, this would be a slippery slope: First, we would have _another_ thi= ng we have > to maintain our own, and second, there are plenty of other dubious root CAs= out there - > where do we draw the line? >=20 > (To be honest, I am a bit surprised to see such TLS surveillance activity b= eing > carried out through dedicated root CAs - to the best of my understanding, p= rocuring > a trusted intermediate CA would have been a more stealthy approach.) >=20 > I guess this leaves us with watching Mozilla's trust store closely, and ada= pt their > changes before releasing the next Core Update. Yes, I would say so. You mentioned the obvious reason before. Another one would be that it is not = a good idea if some browser can open a TLS connection to some website, but IP= Fire cannot. That is unintuitive and difficult to debug behaviour. Best, -Michael > Any opinions? >=20 > Thanks, and best regards, > Peter M=C3=BCller --===============7871047005891273720==--