Bug#721976: (no subject)

[Jacob Hoffman-Andrews]

Hi, just checking in on the status of this. I provided a patch above;
does it look good to you?

Bug#721976: (no subject)

[Jacob Hoffman-Andrews]

Hi! Any updates on this? Thanks!

Bug#721976: (no subject)

[Jacob Hoffman-Andrews]

Great! Here's my proposed patch. It winds up being pretty small, just
removing the lines from certdata2pem.py that pull in email certificates.

Thanks,
Jacob
>From 68bc5e229a474fc2815dea530cc246e3d3b55008 Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews 
Date: Mon, 20 Mar 2017 12:28:55 -0700
Subject: [PATCH] Remove email-only roots from mozilla trust store

These roots are trusted in the Mozilla program only for S/MIME, so should not be
included in ca-certificates, which most applications use to validate TLS
certificates.

Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976, the only MUAs that
depend on or suggest ca-certificates are Mutt and Sylpheed. Sylpheed doesn't use
ca-certificates for S/MIME. Mutt does, but I think it is still safe to remove
thes because:

  (a) S/MIME is relatively uncommon, and
  (b) The CAs that have both TLS and S/MIME bits will continue to work, and
  (c) Nearly all of the 12 removed email-only CAs have ceased operation of their
  email certificate services

Verisign Class 1 Public Primary Certification Authority - G3
Verisign Class 2 Public Primary Certification Authority - G3
UTN USERFirst Email Root CA
SwissSign Platinum CA - G2
AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.
TC TrustCenter Class 3 CA II
ComSign CA
S-TRUST Universal Root CA
Symantec Class 1 Public Primary Certification Authority - G6
Symantec Class 2 Public Primary Certification Authority - G6
Symantec Class 1 Public Primary Certification Authority - G4
Symantec Class 2 Public Primary Certification Authority - G4
---
 mozilla/certdata2pem.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index f91422b..0b02b2a 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -104,8 +104,6 @@ for obj in objects:
 print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
 elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
 trust[obj['CKA_LABEL']] = True
-elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
-trust[obj['CKA_LABEL']] = True
 elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
 print('!'*74)
 print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
-- 
2.8.0-rc3

Bug#721976: (no subject)

[Jacob Hoffman-Andrews]

Sorry, meant to address my previous message to Michael. :-)

I've done a little digging, and according to the first-level results from:

apt-rdepends --reverse --show=Depends,Recommends,Suggests ca-certificates

The only MUAs that depend, recommend, or suggest ca-certificates are
mutt and Sylpheed.

Sylpheed uses ca-certificates just for SSL:
https://github.com/jan0sch/sylpheed/blob/master/libsylph/ssl.c#L58.

Mutt seems to be the only MUA that uses ca-certificates for S/MIME. It
ships with /etc/Muttrc.d/smime.rc, which has:

set smime_ca_location=`for f in $HOME/.smime/ca-certificates.crt
$HOME/.smime/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt ; do if [
-e $f ] ; then echo $f ; exit ; fi ; done`

These are the remaining CAs in the latest version of ca-certificates
from git that are present only because they have the email trust bit:

"Verisign Class 1 Public Primary Certification Authority - G3"
"Verisign Class 2 Public Primary Certification Authority - G3"
"UTN USERFirst Email Root CA"
"SwissSign Platinum CA - G2"
"AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
"TC TrustCenter Class 3 CA II"
"ComSign CA"
"S-TRUST Universal Root CA"
"Symantec Class 1 Public Primary Certification Authority - G6"
"Symantec Class 2 Public Primary Certification Authority - G6"
"Symantec Class 1 Public Primary Certification Authority - G4"
"Symantec Class 2 Public Primary Certification Authority - G4"

It's entirely possible that none of these CAs are actually used for
S/MIME by any Mutt user. For instance, Symantec end-of-lifed their email
offering in August 2016:
https://www.symantec.com/products/information-protection/digital-ids-secure-email.
ComSign doesn't offer email certificates anywhere on their site:
https://www.comsign.co.uk/. VeriSign was bought by Symantec ages ago.

After doing this research, I'd actually argue in favor of dropping these
CA's from ca-certificates outright, without making special provision for
S/MIME.