Hello,
instead of re-enabling the GeoTrust root wouldn't it be much simpler to
include the CA certificates outlined in
https://wiki.mozilla.org/CA/Additional_Trust_Changes under Symantec
instead? This would also render other non-trustworthy certificates from
GeoTrust useless.
In the meantime we've pinned the root CA of Apple's offending endpoints,
which is what their developer documentation suggests. I just fear that
they might decide tomorrow that they want to change certificates after
all. I'm not entirely convinced they'll serve multiple certificates for
a transition period.
Kind regards.
On Wed, 17 Jun 2020 08:15:27 -0500 Michael Catanzaro
<mcatanz...@gnome.org> wrote:
> Hi,
>
> I asked Fedora's ca-certificates maintainer to comment on this. I
> didn't fully understand his reply, but he says this was some sort of
> mistake in Debian's package and not an upstream problem:
> https://bugzilla.redhat.com/show_bug.cgi?id=1845988#c3
>
> """
> So mozilla lists relevent changes between NSS processing and the raw
> cert trust database here:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes . NSS was indeed
> whitelisting accepted intermediates, but it also didn't explicitly
> removed the target CA's from the trust list. It now uses
> CKA_NSS_SERVER_DISTRUST_AFTER to handle how it distrusts the given CA's.
>
> I've verified that the cert has not been removed from the current trust
> list, but CKA_NSS_SERVER_DISTRUST_AFTER has been set in the latest
> version. This means if the certs issued from this CA was issued after
> the specified date, then the trust would be distrusted, otherwise it
> will continue to be trusted.
>
> I suspect Debian took out the certs from the trust store altogether,
> rather than process the list straight from mozilla.
>
> Upshot: if you process CKA_NSS_SERVER_DISTRUST_AFTER, then you will get
> safer behavior, otherwise the ca's are still trusted in the latest list.
> """
>
> I suspect you have more broken certificates that need to be restored
> than just GeoTrust.
>
> Furthermore, last time we had a major Debian-specific certificate
> verification issue, we discovered that Debian is not actually capable
> of restoring previously-removed certificates without manual user
> intervention, see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339. That means
> that even once these certificates are restored, users who have already
> updated to the affected version of ca-certificates will suffer
> permanently broken certificate verification unless they have found this
> bug report and know to take manual intervention, because the
> certificates will remain disabled locally.
>
> Michael
>
>
>
>
--
Mit freundlichen Grüßen
Kim-Alexander Brodowski
IServ GmbH
Entwicklung
Bültenweg 73
38106 Braunschweig
Telefon: +49 531 22 43 666-0
Mobil: +49 152 55 17 55 16
Fax: +49 531 22 43 666-9
E-Mail: kim.brodow...@iserv.eu
Internet: https://iserv.eu
USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
Geschäftsführer: Benjamin Heindl, Martin Hüppe, Jörg Ludwig
Grundsätze zum Datenschutz: https://iserv.eu/privacy
