On 12/14/2015 07:45 PM, Andrew Ayer wrote: > On Mon, 14 Dec 2015 18:45:40 -0600 > Michael Shuler <mich...@pbandjelly.org> wrote: > >>> As always, let me know if you could use any help. I'm going to >>> start looking through the reverse depends for ca-certificates to >>> identify packages that might be relying on roots for email >>> authentication. >> >> Exactly. I also do not know if pointing mail-related CAs to another >> filesystem location and patching mail-related packages to look there >> is sufficient - are there mail clients/utilities that also open https >> web urls? > > It wouldn't be a question of HTTPS connections, but rather TLS > connections to IMAP, POP, and SMTP servers, which most MUAs will make. > MUAs that implement S/MIME should use separate trust stores for TLS and > S/MIME (or have some other way to distinguish between roots) and MUAs > that don't are buggy. I would be interested in patching such MUAs, > although this would be a long-term effort. > > Fortunately, there is a simple short-term solution that could be > implemented immediately and would provide a security improvement to the > majority of Debian users without removing any functionality: ship the > email-only roots in a separate package. I suspect that only a small > minority of Debian users use S/MIME, whereas a large majority of users > use wget, curl, git, etc. with HTTPS, or MUAs with secure SMTP/IMAP/POP > (but not S/MIME). The minority can install the S/MIME roots and have > the same security and functionality as now, while the majority > will benefit from better security. Is this an acceptable solution > pending a long-term effort to assess and improve trust store handling > in MUAs?
Thanks for your thoughts. A separate package is an interesting interim idea, but in looking at what redhat has done, I think a more complete transition to trust type buckets is preferred, along with including a code-signing cert bucket. I think it's the extra package and updating deps for a short-term solution that I'm not fond of. That would need another update of deps and proper solution in the long term. I guess I'd have to see how many other packages this affects. -- Kind regard, Michael