1 |
On Wednesday, June 2, 2021 12:28:49 AM CEST Fannys wrote: |
2 |
> On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" <joost@××××××××.org> wrote: |
3 |
> >On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: |
4 |
> >> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@×××××.com wrote |
5 |
> >> |
6 |
> >> > 125 config files in /etc/ssl/certs needs update. |
7 |
> >> > |
8 |
> >> > For certificates I would expect the old and invalid ones to be |
9 |
> > |
10 |
> >replaced |
11 |
> > |
12 |
> >> > by newer ones without user intervention. |
13 |
> >> > |
14 |
> >> Looking through them is "interesting". There seem to be a lot of |
15 |
> >> |
16 |
> >> /etc/ssl/certs/????????.0 files, where "?" is either a random number |
17 |
> > |
18 |
> >or |
19 |
> > |
20 |
> >> a lower case letter. These all seem to be symlinks to |
21 |
> >> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a |
22 |
> >> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How |
23 |
> > |
24 |
> >much |
25 |
> > |
26 |
> >> do we trust China? There are a couple of certificates in there named |
27 |
> >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and |
28 |
> >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any |
29 |
> >> other suspicious regimes in there? |
30 |
> > |
31 |
> >I've always wondered about the amount of CAs that are auto-trusted on |
32 |
> >any |
33 |
> >system. Including several from countries with serious human rights |
34 |
> >issues. |
35 |
> > |
36 |
> >I could do with a tool where I can easily select which CAs to trust |
37 |
> >based on |
38 |
> >country. |
39 |
> > |
40 |
> >-- |
41 |
> >Joost |
42 |
> |
43 |
> Is there actually any tool that can let me pick my certificates? |
44 |
> If i go and start deleting randomly certificates from regimes i dont like |
45 |
> will there be any "breaking change"? I suppose firefox uses its own |
46 |
> certificate store though. |
47 |
|
48 |
If the CA is removed from your system/app/..., any key signed by that CA will |
49 |
be seen as "untrusted" (treated as if self-signed) and you need to go through |
50 |
the usual hoops to allow that certificate to be used. |
51 |
|
52 |
-- |
53 |
Joost |