On 09/03/2017 09:09 AM, Julien Cristau wrote: > ca-certificates 20170717 added the "TUBITAK Kamu SM SSL Kok Sertifikasi > - Surum 1" CA, but when that was added to nss it was restricted to a > small set of domains[1]. Thus I wonder if it wouldn't be better to > blacklist it from ca-certificates, since we can't encode this kind of > constraint. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1349705
There are a number of technically constrained CAs. I'm not sure blacklisting would be the right answer for Debian/derivative users, since that makes the CA certificate completely uninstalled by the package and never able to be used. In the best case scenario, the CA abides by the technical constraints and never issues a certificate outside of their allowed domains, and there are no problems. I understand this isn't an ideal world, security issues happen, but I also don't wish to punish users of a technically constrained CA, since there's no mechanism in ca-certificates for this check, like there is in NSS. I don't have a great idea at the moment, but do think blacklisting a technically constrained CA is a bit heavy handed. -- Michael
signature.asc
Description: OpenPGP digital signature
