On Wed, 2007-08-22 at 13:29 +0200, Raphael Marichez wrote: > On Tue, 21 Aug 2007, Natanael Copa wrote: > > > Hi, > > > > I use the gentoo framework to build binary packages. I noticed that most > > packages creates the ssl certificate during src_install(). This makes > > all binary packages contain the ssl certs which is a security threat. > > > Hi, > > If you are really concerned by security, then you do not want to use > such automatically-generated certificates. They generally contains fake > CN names (e.g. "CN=localhost") and they are not expected in a PKI > environment: they can't be checked nor trusted. You will generate your > own certificates with your own root CA, your own CRL and your own > policy.
Ofcourse. I'm just telling that there are some public keys available in the binary packages so joe user might believe he has encrytion of his traffic out of the box. > > > > The net-nds/openldap package has understood this and calls docert from > > pkg_postinst() and even includes this comment: > > > > # You cannot build SSL certificates during src_install that will make > > # binary packages containing your SSL key, which is both a security > > risk > > # and a misconfiguration if multiple machines use the same key and > > cert. > > i guess openldap generates self-signed certificates with generic CN > names, and this problem is not solved this way. Difficult to decrypt traffic even if it uses self signed keys. Trivial if you have the private keys. Do whatever you want with it. I was just surprised to find private keys in my binary packages. > Cheers, -- [EMAIL PROTECTED] mailing list
