Hi, I wonder if security guys will have some reservations abouts the pre-built root list. This will result in supplying two potentially different sources of trust and will require maintenance to keep those in sync. A possible scenario is CA being revoked, which results in an update to ca-certificates. If the same CA was present in the pre-built list, then ca-certificates-java needs to be updated at the same time.
Best Regards, Vladimir. On Wed, Feb 22, 2023 at 10:30 AM Thorsten Glaser <t.gla...@tarent.de> wrote: > > On Wed, 22 Feb 2023, Vladimir Petko wrote: > > >Just a small clarification, openssl itself allows importing a single > >certificate and its chain and overwrites the store in the process, so > >we need something like p11-kit. > >Another grey area is ORACLE_TrustedKeyUsage attribute - at the moment > > Ugh. > > How about doing it the “low-tech” way: > > – ship a minimal JKS keystore with bin:ca-certificates-java, > generated at build time, that contains a manually vetted > list of roots, perhaps just what’s relevant for Debian > – use a Recommends to get at a JRE > – with trigger, generate a full keystore, once a JRE is there > > (The shipped one would need to be in /usr/share/!(doc) and > copied so overwriting it with the generated one works and > we’ll probably need to track hashes of shipped ones so we > can honour admin choices to override the keystore if needed.) > > bye, > //mirabilos > -- > Infrastrukturexperte • tarent solutions GmbH > Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ > Telephon +49 228 54881-393 • Fax: +49 228 54881-235 > HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 > Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg > > **************************************************** > /⁀\ The UTF-8 Ribbon > ╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: > ╳ HTML eMail! Also, https://www.tarent.de/newsletter > ╱ ╲ header encryption! > ****************************************************
