Re: [gentoo-user] app-misc/ca-certificates
On June 2, 2021 1:51:06 AM UTC, Grant Taylor wrote: >On 6/1/21 3:38 PM, Michael Orlitzky wrote: >> *Any* CA can just generate a new key and sign the corresponding >> certificate. > >This is where what can /technically/ be done diverges from what is >/allowed/ to be done. > >CAs adhering to the CA/B Forum's requirements on CAA records mean that >they aren't allowed to issue a certificate for a domain that doesn't >list them in the CAA record. > >If a CA violates the CAA record requirement, then the CA has bigger >issues and will be subject to distrusting in mass. > >Certificate Transparency logs make it a lot easier to identify if such >shenanigans are done. -- I think that the CA/B Forum is also >requiring >C.T. Logs. > >Also, CAs /should/ *NOT* be generating keys. The keys should be >generated by the malicious party trying to pull the shenanigans that >you're talking about. > >> All browsers will treat their fake certificate corresponding to the >> fake key on their fake web server as completely legitimate. The >"real" >> original key that you generated has no special technical properties >> that distinguish it. > >Not /all/ browsers. I know people that have run browser extensions to >validate the TLS certificate that they receive against records >published >via DANE in DNS, which is protected by DNSSEC. So it's effectively >impossible for a rogue CA and malicious actor to violate that chain of >trust in a way that can't be detected and acted on. From my understanding its all based on trust and faith unless I take steps from my side. That doesnt seem very safe. Tech should be based on tech. Not faith and trust on the other party. Marinus pEpkey.asc Description: application/pgp-keys
Re: [gentoo-user] app-misc/ca-certificates
On June 1, 2021 4:45:45 AM UTC, "J. Roeleveld" wrote: >On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: >> On Sat, May 29, 2021 at 03:08:39AM +0200, zca...@gmail.com wrote >> >> > 125 config files in /etc/ssl/certs needs update. >> > >> > For certificates I would expect the old and invalid ones to be >replaced >> > by newer ones without user intervention. >> >> Looking through them is "interesting". There seem to be a lot of >> /etc/ssl/certs/.0 files, where "?" is either a random number >or >> a lower case letter. These all seem to be symlinks to >> /etc/ssl/certs/.pem. Each of those files is in turn a >> symlink to /usr/share/ca-certificates/mozilla/.crt. How >much >> do we trust China? There are a couple of certificates in there named >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and >> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any >> other suspicious regimes in there? > >I've always wondered about the amount of CAs that are auto-trusted on >any >system. Including several from countries with serious human rights >issues. > >I could do with a tool where I can easily select which CAs to trust >based on >country. > >-- >Joost Is there actually any tool that can let me pick my certificates? If i go and start deleting randomly certificates from regimes i dont like will there be any "breaking change"? I suppose firefox uses its own certificate store though. Marinus pEpkey.asc Description: application/pgp-keys
Re: [gentoo-user] gtk+ package question
On May 29, 2021 8:28:42 PM UTC, Jack wrote: >I just noticed that the package x11-libs/gtk+ has slots 2 and 3 >(nothing new there) however, it seems that version 4 has a totally new > >package gui-libs/gtk with only slot 0 (no explicit slot listed) with >currently ~4.2.0 and 4.2.1 versions available. I've done a quick >search through the announce and dev mailing lists, and not found >anything relevant. Is this an intentional switch? I don't think there > >is much yet that uses version 4, but is there any planned migration >path? > >Have I missed something? > >Thanks for any info. > >Jack For the part of the category change it is to my uderstanding that gentoo is slowly moving from x11 style categories to gui-* . Partly due to the wayland starting to become used more. I noticed with sway first on that. As for the slot part somebody more knowledgeable than me can chime in. Regards, Marinus pEpkey.asc Description: application/pgp-keys