Gentoo Archives: gentoo-user

From: Fannys <marinus.savoritias@×××××××.dev>
To: "gentoo-user@l.g.o" <gentoo-user@l.g.o>
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Wed, 02 Jun 2021 07:48:46
Message-Id: 13496721-FF58-400B-9045-64C624A6F844@pretty.Easy.privacy
In Reply to: Re: [gentoo-user] app-misc/ca-certificates by Grant Taylor
1 On June 2, 2021 1:51:06 AM UTC, Grant Taylor <gtaylor@×××××××××××××××××××××.net> wrote:
2 >On 6/1/21 3:38 PM, Michael Orlitzky wrote:
3 >> *Any* CA can just generate a new key and sign the corresponding
4 >> certificate.
5 >
6 >This is where what can /technically/ be done diverges from what is
7 >/allowed/ to be done.
8 >
9 >CAs adhering to the CA/B Forum's requirements on CAA records mean that
10 >they aren't allowed to issue a certificate for a domain that doesn't
11 >list them in the CAA record.
12 >
13 >If a CA violates the CAA record requirement, then the CA has bigger
14 >issues and will be subject to distrusting in mass.
15 >
16 >Certificate Transparency logs make it a lot easier to identify if such
17 >shenanigans are done. -- I think that the CA/B Forum is also
18 >requiring
19 >C.T. Logs.
20 >
21 >Also, CAs /should/ *NOT* be generating keys. The keys should be
22 >generated by the malicious party trying to pull the shenanigans that
23 >you're talking about.
24 >
25 >> All browsers will treat their fake certificate corresponding to the
26 >> fake key on their fake web server as completely legitimate. The
27 >"real"
28 >> original key that you generated has no special technical properties
29 >> that distinguish it.
30 >
31 >Not /all/ browsers. I know people that have run browser extensions to
32 >validate the TLS certificate that they receive against records
33 >published
34 >via DANE in DNS, which is protected by DNSSEC. So it's effectively
35 >impossible for a rogue CA and malicious actor to violate that chain of
36 >trust in a way that can't be detected and acted on.
38 From my understanding its all based on trust and faith unless I take steps from my side. That doesnt seem very safe.
39 Tech should be based on tech. Not faith and trust on the other party.
41 Marinus


File name MIME type
pEpkey.asc application/pgp-keys


Subject Author
Re: [gentoo-user] app-misc/ca-certificates Grant Taylor <gtaylor@×××××××××××××××××××××.net>