Re: How to submit Root CA to ship with Fedora
On Mon, May 20, 2019 at 9:20 AM Stephen Gallagher wrote: > > On Mon, May 20, 2019 at 8:53 AM Danishka Navin wrote: > > Seems government is working with Chinese tech people to run mass online > > surveillance system. > > http://www.themorning.lk/china-styled-mass-online-surveillance/ > > > > > > But I am not clear how Root CA can use to SSL MITM attack instead of user > > cert. > > > > If you trust a root CA for signing websites, then they can sign a new > certificate for google.com, then modify DNS to send you to a > non-Google server presenting their certificate, signed by the corrupt > CA. They'd decrypt all of your traffic, read it, re-encrypt it with > the real google.com cert and pass it along. You would still see the > website you expect to, but in the middle all of your traffic is > exposed to the man-in-the-middle server. It's typically detectable by delays because the SSL connection occurs twice, but given the clients are in China, well, some delays are not shocking. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
On Mon, May 20, 2019 at 8:53 AM Danishka Navin wrote: > Seems government is working with Chinese tech people to run mass online > surveillance system. > http://www.themorning.lk/china-styled-mass-online-surveillance/ > > > But I am not clear how Root CA can use to SSL MITM attack instead of user > cert. > If you trust a root CA for signing websites, then they can sign a new certificate for google.com, then modify DNS to send you to a non-Google server presenting their certificate, signed by the corrupt CA. They'd decrypt all of your traffic, read it, re-encrypt it with the real google.com cert and pass it along. You would still see the website you expect to, but in the middle all of your traffic is exposed to the man-in-the-middle server. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
On Fri, Apr 26, 2019 at 2:06 AM Stephen Gallagher wrote: > On Thu, Apr 25, 2019 at 1:42 PM Danishka Navin wrote: > > > > > > > > On Wed, Apr 24, 2019 at 6:02 PM Sérgio Basto wrote: > >> > >> On Wed, 2019-04-24 at 11:35 +0530, Danishka Navin wrote: > >> > >> Hi, > >> > >> Sri Lanka Cert is gonna implement local Root CA. > >> How we can submit this Root CA with Fedora? > >> > >> I could not find enough information on this. > >> > >> > >> you can do one custom ca-certificates-2018.2.26-2.fc29.noarch package > and add your certificate to ca-truted in you system > > > > > > Its about officially distributed using formal channels, i.e: Operating > Systems and Browsers. > > This is not about testing locally. > > I mean it required to be in ca-certificates-2018.2.26-2.fc29.noarch > package by default. > > > > > That package comes from Mozilla's collection. If Mozilla approves it, > Fedora will pick it up as soon as an updated ca-certificates package > is released. That said, it sounds like the intent of that CA is for a > government-mandated man-in-the-middle attack to monitor secure > traffic. It is highly unlikely that will be accepted by Mozilla. > Seems government is working with Chinese tech people to run mass online surveillance system. http://www.themorning.lk/china-styled-mass-online-surveillance/ But I am not clear how Root CA can use to SSL MITM attack instead of user cert. -- Danishka Navin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
On Thu, Apr 25, 2019 at 1:42 PM Danishka Navin wrote: > > > > On Wed, Apr 24, 2019 at 6:02 PM Sérgio Basto wrote: >> >> On Wed, 2019-04-24 at 11:35 +0530, Danishka Navin wrote: >> >> Hi, >> >> Sri Lanka Cert is gonna implement local Root CA. >> How we can submit this Root CA with Fedora? >> >> I could not find enough information on this. >> >> >> you can do one custom ca-certificates-2018.2.26-2.fc29.noarch package and >> add your certificate to ca-truted in you system > > > Its about officially distributed using formal channels, i.e: Operating > Systems and Browsers. > This is not about testing locally. > I mean it required to be in ca-certificates-2018.2.26-2.fc29.noarch package > by default. > That package comes from Mozilla's collection. If Mozilla approves it, Fedora will pick it up as soon as an updated ca-certificates package is released. That said, it sounds like the intent of that CA is for a government-mandated man-in-the-middle attack to monitor secure traffic. It is highly unlikely that will be accepted by Mozilla. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
On Wed, Apr 24, 2019 at 6:02 PM Sérgio Basto wrote: > On Wed, 2019-04-24 at 11:35 +0530, Danishka Navin wrote: > > Hi, > > Sri Lanka Cert is gonna implement local Root CA. > How we can submit this Root CA with Fedora? > > I could not find enough information on this. > > > you can do one custom ca-certificates-2018.2.26-2.fc29.noarch package > and add your certificate to ca-truted in you system > Its about officially distributed using formal channels, i.e: Operating Systems and Browsers. This is not about testing locally. I mean it required to be in ca-certificates-2018.2.26-2.fc29.noarch package by default. > or you just need copy you ca to /etc/pki/ca-trust/source/anchors and run > update-ca-trust > > I used or as reference [1] > [1] > > https://ask.fedoraproject.org/en/question/37820/confusion-with-rpm-fusions-signing-keys/?answer=38282#post-id-38282 > > Best regards, > -- > > Sérgio M. B. > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Danishka Navin http://danishkanavin.blogspot.com http://twitter.com/danishkanavin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
(fix some typos) Re: How to submit Root CA to ship with Fedora
On Wed, 2019-04-24 at 11:35 +0530, Danishka Navin wrote: > Hi, > > Sri Lanka Cert is gonna implement local Root CA. > How we can submit this Root CA with Fedora? > > I could not find enough information on this. You can do one custom ca-certificates.noarch package and add your certificate to ca-truted in your system. or you just need copy your ca cert to /etc/pki/ca-trust/source/anchors and run update-ca-trust I used or as reference [1] [1] https://ask.fedoraproject.org/en/question/37820/confusion-with-rpm-fusions-signing-keys/?answer=38282#post-id-38282 cd /etc/pki/ca-trust/source/anchors wget http://www.cacert.org/certs/root.crt update-ca-trust Best regards, -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
On Wed, 2019-04-24 at 11:35 +0530, Danishka Navin wrote: > Hi, > > Sri Lanka Cert is gonna implement local Root CA. > How we can submit this Root CA with Fedora? > > I could not find enough information on this. you can do one custom ca-certificates-2018.2.26-2.fc29.noarch package and add your certificate to ca-truted in you system or you just need copy you ca to /etc/pki/ca-trust/source/anchors and run update-ca-trust I used or as reference [1] [1] https://ask.fedoraproject.org/en/question/37820/confusion-with-rpm-fusions-signing-keys/?answer=38282#post-id-38282 Best regards, -- Sérgio M. B. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
Hello, Danishka Navin. Wed, 24 Apr 2019 14:12:44 +0530 you wrote: > I have already a passwed relavent information and asked to create a > ticket against NSS product and 'CA Certificate Root Program' component. Mozilla will never accept CA certificates for government MITM. -- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
On Wed, 2019-04-24 at 09:15 +0200, Dominik 'Rathann' Mierzejewski wrote: > Hi, > > On Wednesday, 24 April 2019 at 08:05, Danishka Navin wrote: > > Sri Lanka Cert is gonna implement local Root CA. > > How we can submit this Root CA with Fedora? > > > > I could not find enough information on this. > > The best path would be to get it included in Mozilla's root CA trust > store, which Fedora consumes. It is not just the best path but basically it is the only path. Fedora does not maintain its own list of trusted root CA but it directly consumes the Mozilla's list. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
On Wed, Apr 24, 2019 at 12:46 PM Dominik 'Rathann' Mierzejewski < domi...@greysector.net> wrote: > Hi, > > On Wednesday, 24 April 2019 at 08:05, Danishka Navin wrote: > > Sri Lanka Cert is gonna implement local Root CA. > > How we can submit this Root CA with Fedora? > > > > I could not find enough information on this. > > The best path would be to get it included in Mozilla's root CA trust > store, which Fedora consumes. > Thanks Dominik. I have already a passwed relavent information and asked to create a ticket against NSS product and 'CA Certificate Root Program' component. > https://wiki.mozilla.org/CA/Application_Process > > > https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/ > > https://apps.fedoraproject.org/packages/ca-certificates/ > > https://fedoraproject.org/wiki/CA-Certificates > > Regards, > Dominik > -- > Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org > There should be a science of discontent. People need hard times and > oppression to develop psychic muscles. > -- from "Collected Sayings of Muad'Dib" by the Princess Irulan > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > -- Danishka Navin http://danishkanavin.blogspot.com http://twitter.com/danishkanavin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: How to submit Root CA to ship with Fedora
Hi, On Wednesday, 24 April 2019 at 08:05, Danishka Navin wrote: > Sri Lanka Cert is gonna implement local Root CA. > How we can submit this Root CA with Fedora? > > I could not find enough information on this. The best path would be to get it included in Mozilla's root CA trust store, which Fedora consumes. https://wiki.mozilla.org/CA/Application_Process https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/ https://apps.fedoraproject.org/packages/ca-certificates/ https://fedoraproject.org/wiki/CA-Certificates Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
How to submit Root CA to ship with Fedora
Hi, Sri Lanka Cert is gonna implement local Root CA. How we can submit this Root CA with Fedora? I could not find enough information on this. Regards, -- Danishka Navin http://danishkanavin.blogspot.com http://twitter.com/danishkanavin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org