[PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Tue Nov 1 20:35:20 CET 2016

On 10/31/2016 03:30 PM, Daniel Kahn Gillmor wrote:
> On Thu 2016-10-27 18:59:03 -0400, Kristian Fiskerstrand wrote:
>> On 10/28/2016 12:30 AM, Daniel Kahn Gillmor wrote:
>>> * dirmngr/dirmngr.c (http_session_new): if the user isn't talking to
>>>   the HKPS pool, and they have not specified any hkp-cacert, then we
>>>   should default to the system CAs, rather than nothing.
>>> * doc/dirmngr.texi: document choice of CAs.
>> I'm a bit ambiguous about this change. In Gentoo we currently have the
>> use of a system CA behind a user-selectable use flag for hkps but even
>> so the set of provided CAs is originating mostly from Mozilla.
>> As seen with the latest WoSign / StartCom issues, mozilla is not overly
>> concerned about third-party usage of the provided CA certificates, and
>> have more complex restrictions in place for NSS (e.g specific
>> notBeforeDate and OneCRL checking).
>> As such I question the security of the root stores and actually like
>> that it defaults to not using system CAs so users needs to make an
>> informed decision.
> We're talking about case (b) from the commit message, right?

As discussed here and on IRC you've convinced me that the correct
approach is shifting the focus to auditing the components of the
distribution provided root stores[Note A] and enabling the use of
centralized system root store for the applications.

Handling of the WoSign and StartCom removals will be an interesting test
to see how this is done in various distros, so far I'm only aware of one
that have removed the certs.

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
"When I was kidnapped, my parents snapped into action. They rented out
my room."
(Woody Allen)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161101/54e6fbdb/attachment.sig>

More information about the Gnupg-devel mailing list