Introduction /usr/share/ssl/ca-bundle.crt is used by OpenSSL as a database of root certificates. If the certificate for current OpenSSL-served session is not signed by one of the certificates found there, application should display a big fat warning.
Security Users who ignore the big fat warning mentioned above, are apt for a man in the middle attack. [1] Using SSL without checking certificates is mostly pointless and gives false sense of safety. Actual condition Our ca-bundle.crt contains only Unizeto certificates. Pointless, should either be empty or contain more. Problem We are, of course, due to state that our users should care about who they trust on their own. Being a perfectly consistent policy (and an easy to maintain one ;-), it's not very user friendly. IMO, user- -unfriendly security issues usually get ignored. Proposed solution Use certificates from Mozilla. Possible implementations Use ca-bundle.pl script from apache1-mod_ssl (only in sources, we don't distribute it) to fetch certificates from Mozilla CVS and create ca-bundle.crt. Then: a) Just install it in /usr/share/ssl/, marking as %config(noreplace). b) Create a directory in /etc [2], symlink /usr/share/ssl to it. c) Whatever. For now (and for Ac), I'd chose a). Alternate solution Create a (init?) script to use the contents of /usr/share/certs and maybe some other directory (for user's own certificates). Unizeto According to [3], there were concerns about distributing their certificates. I'd leave it as is and add them to ca-bundle.pl's output. [1] I know a small ISP who did (maybe still does) that to force own transparent SMTP relay. ISP's CA certificate was (is) installed in user's system by a technician during network installation. Clients never complained... [2] http://blogs.gurulabs.com/dax/archives/2005/05/warning_changes.html [3] http://7thguard.net/news.php?id=1637 -- Radosław Zieliński <[EMAIL PROTECTED]>
pgp1UpVzbROB5.pgp
Description: PGP signature
_______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en