Hi,
On 03.09.21 13:11, Simon Richter wrote:
[Revocation mechanism]
If we don't have one, shouldn't we worry more about that given the
widespread use of TLS?
We have a big hammer, shipping a new ca-certificates package. If we want
something that only affects apt, but not other packages, that mechanism
doesn't exist yet.
I think that's an interesting point, not just for revocation. There are
forces pushing for more agility, switching out roots of trust more
frequently. So for very old releases, you usually had the signing key of
the next release on disk, so you could move to the next release. In this
case you sort of risk not having the TLS authority on disk to make that
happen. And of course we need to track what the authorities are doing
that our frontends are using (e.g. [1] around how to deal with old
Android devices).
But then I'm not sure how much we need to care about ancient releases
that are out of security support. We would need to commit to regularly
update the certificate bundle, though.
To your other point: I don't think managing trust into individual CAs
will scale. We cannot really anticipate which CAs we are going to use in
the future.
Kind regards
Philipp Kern
[1] https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
