1 |
On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" <joost@××××××××.org> wrote: |
2 |
>On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: |
3 |
>> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@×××××.com wrote |
4 |
>> |
5 |
>> > 125 config files in /etc/ssl/certs needs update. |
6 |
>> > |
7 |
>> > For certificates I would expect the old and invalid ones to be |
8 |
>replaced |
9 |
>> > by newer ones without user intervention. |
10 |
>> |
11 |
>> Looking through them is "interesting". There seem to be a lot of |
12 |
>> /etc/ssl/certs/????????.0 files, where "?" is either a random number |
13 |
>or |
14 |
>> a lower case letter. These all seem to be symlinks to |
15 |
>> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a |
16 |
>> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How |
17 |
>much |
18 |
>> do we trust China? There are a couple of certificates in there named |
19 |
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and |
20 |
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any |
21 |
>> other suspicious regimes in there? |
22 |
> |
23 |
>I've always wondered about the amount of CAs that are auto-trusted on |
24 |
>any |
25 |
>system. Including several from countries with serious human rights |
26 |
>issues. |
27 |
> |
28 |
>I could do with a tool where I can easily select which CAs to trust |
29 |
>based on |
30 |
>country. |
31 |
> |
32 |
>-- |
33 |
>Joost |
34 |
|
35 |
Is there actually any tool that can let me pick my certificates? |
36 |
If i go and start deleting randomly certificates from regimes i dont like will there be any "breaking change"? |
37 |
I suppose firefox uses its own certificate store though. |
38 |
|
39 |
Marinus |