On 07/06/17 02:04, Alistair Crooks wrote: > Distributing mozilla root certs is hardly "TNF takes on the role of a > trusted CA source".
Granted, I'm a biased because of $dayjob, but in my view someone handing me a bunch of CA certificates as part of an installation is by definition taking on the role of a trusted CA source. I assume you disagree -- the question is: If there's an incident due to outdated and compromised root CA's, which view will the security community take -- yours or mine? (To be perfectly honest, I'm way too biased to be able to answer it objectively, but I ask readers consider this perspective). (Also, don't misread "trusted CA source" as "CA issuer" -- completely different entities). > And we need to start thinking laterally here. Certs are necessarily > transitory, and we wish any form of added trust to be enduring over a > period of time. > > + Can we use ssh fingerprints of project machines as part of the > trust-booting procedure, or as a light form of 2FA? > + Can we ship just a subset of root certs to get, in a trusted way, to > NetBSD.org, and then download (with a bit more assurance than just a > straight HTTP GET request) an updated set of mozilla root certs? > + Can we ship a full set of root certs, as a bootstrap mechanism to > getting a more up to date set? What is the fallback in this case - no > service? > + Can we talk have the certs mirrored, and use a number of similar > replies from untrusted sources as a bootstrap mechanism? > + Do we put all of our eggs in one basket, pin the cert, and then rely > on that being the one true way? > + How should true revocation be done? > + root certs which are signed with NetBSD ssh host keys could be an > interesting area of opportunity > + Everything else I've forgotten Everything you list here is essentially a sign of you wanting TNF to be a trusted CA source, so you've made me very confused with regards to what your objection was(?). If you [as in TNF] are willing to set that up (a means to distribute a CA bundle securely, vouch for it, and provide a mechanism for users to keep it up-to-date and verify its correctness), I'd be very pleased (This is something I've wanted for a long time). I'm just against the idea of "let's ship a bundle of outdated certs, with no means of keeping them up-to-date, just to shut programs up.", which was my interpretation of the original suggestion. (Your reply made it clear that I hadn't made that point sufficiently clear in my previous posts). I like the direction you're taking this; please don't take my posts as discouragement. -- Kind regards, Jan Danielsson
