On 07/06/2014 01:38 PM, Chris Knadle wrote:
On Saturday, July 05, 2014 23:11:08 Gary Mort wrote:
All the various practices of the root ca's has annoyed me to no end.
I'm wondering if there is a relatively good way to configure my keyring
so I can control it.
If I delete the default keystores or reconfigure specific application
keychain configurations, they frequently get rewritten during
application upgrades.
Debian (and hopefully Debian-based distros) can do this, but I believe whether
the option shows up /during upgrades/ depends on the 'priority level' setting
for the 'debconf' package.
Have a look at the documentation that comes with the 'ca-certificates'
package, which will point to trying 'dpkg-reconfigure ca-certificates'.
Unfortunately it doesn't discuss the debconf 'priority level' setting
concerning having these options come up during upgrades of the ca-certificates
package.
It looks like most apps can be configured to hook into my gnome-keychain
- so I'm thinking that rather then try to delete extraneous keys from
the various files they are squirrelled in - it might be easier to simply
maintain a database of revoked certificates and revoke all the roots.
Is there any easy to use utility for this, or do I just need to roll my own?
The ca-certificates package takes the installed and activated CA keys and
makes a 'bundle' of them as one big certificate file in /etc/ssl/certs/ (I
think the file is 'ca-certificates.crt') and I believe this is the file that
applications use by default (though I believe not all applications use all of
the keys in that keyfile, as there is a separate section of the keys for
Mozilla/ vs others).
Most applications seem to assume that there are 4 "databases" of
credentials:
1) A System wide default set of certificates
2) A personal certificate database
3) A key database[usernames/passwords]
4) A 'database' of ssh keys
For gnome keychain it will provide a pkcs11 interface to them as
1) Files stored in the /etc/ssl/certs directory.
2) $HOME/.local/share/keyrings/user.keystore
3) $HOME/.local/share/keyrings/login.keyring
4) Files stored in $HOME/.ssh
Mozilla Firefox uses
1) Files stored in /etc/ssl/certs directory plus some hardcoded ones
2) $HOME/.mozilla/firefox/{profilename}/certX.db [x is an integer from 1
to 9]
3) $HOME/.mozilla/firefox/{profilename}/keyX.db [x is an integer from 1
to 9]
4) Does not use SSH keys
Google Chrome uses:
1) Gnome keyring plus some hardcoded ones
2) Gnome keyring
3) Gnome keyring
4) Does not use SSH keys
The "plus some hardcoded ones" is especially annoying - basically all
those EV root CA certificates are hardcoded directly into the browser
and you can't delete them.
What I find annoying about all this is that due to the way browsers
work, it is extremely easy to impersonate a website and appear
legitimate. Nokia did[does?] this for cell phone web browsing.
http://www.zdnet.com/nokia-hijacks-mobile-browser-traffic-decrypts-https-data-7000009655/
To be listed as a root CA you either need to pay an auditor to review
your processes[auditors are CPA's and most auditors are those same
companies which certified mortgage default swap packages as triple A] or
you need to be associated with a national goverment['technically' a
government sponsored CA has to be audited but in practice it can audit
itself]
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
Government of Spain, Autoritat de Certificació de la Comunitat
Valenciana (ACCV)
China Internet Network Information Center (CNNIC)
Government of Taiwan, Government Root Certification Authority (GRCA)
Government of Japan, Ministry of Internal Affairs and Communication
Government of France (ANSSI, DCSSI)
Government of The Netherlands, PKIoverheid
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)
At the end of the day, I'd rather just have a empty 'official' keychain
and just automatically add roots to my personal keychain as I need to.
It's more secure then trusting the root certificates.
Initially I tried installing an empty keychain to /etc/ssl but I found a
lot of programs assume the existence of some of the root CAs they gotten
their certificates from and instead of prompting to add a new
certificate, attempts to run the applications causes the application to
abort.
_______________________________________________
Mid-Hudson Valley Linux Users Group http://mhvlug.org
https://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug
Upcoming Meetings (6pm - 8pm) Vassar College
May 7 - Personal 3D Printing
Jun 4 - Samba: Can We All Just Get Along?
Jul 2 - Mad Science Fair IV
