From owner-freebsd-security@freebsd.org Fri Feb 26 07:41:34 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 74F5F5588F2 for ; Fri, 26 Feb 2021 07:41:34 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "submission.mff.cuni.cz", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dn1n84J1Lz4vpD for ; Fri, 26 Feb 2021 07:41:32 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University/CN=Dan+20Lukes+20100000045929 serial 0EF93D8DE50F0DBD57474A194D122E49 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=obluda.cz; s=mffsubmission; t=1614325283; x=1615625283; bh=wRarNngFXb46w7FuYWvwx6M9dvgbC0FevsEkeSqrINs=; h=From:MIME-Version; b=i7UMdSXsXr4+SB7E/QNgz0KcDbyhtuiGQ5Vb2ofBHFJcG3XsLRWMbPEmW7eAL9oft oiow/QMJdGCsDTJQURlzMlPPalJSwnp9AUj/IqP1HLeHEtTuNF0Hf7Mx2IiMnuUMKA HNn1bQsLPm1fHjh35ofZQr3g+vF3ej2WvIpW98QUEWIlr33byxBwePJzDTQAJTJLdb 2mKU3Qf0Y4m/OgOUIr0fwh8BSXwDmci55BqJi0PN5x9LWG2+7JrzJFDKTCWGwohYNQ pkMIzYpkQp+hxsIf71XpjS9BP3B4HPBPz0Jcb7MT9wQoL9Z0XvSMMgYyCamqCJpcht q66+8DL917Pgw== Received: from [10.46.29.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.16.1/8.16.1) with ESMTPS id 11Q7fLhK051736 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK) for ; Fri, 26 Feb 2021 08:41:23 +0100 (CET) (envelope-from dan@obluda.cz) Subject: Re: CA's TLS Certificate Bundle in base = BAD To: freebsd-security References: <20210226010750.GY5246@funkthat.com> From: Dan Lukes Message-ID: <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz> Date: Fri, 26 Feb 2021 08:41:21 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.3 MIME-Version: 1.0 In-Reply-To: <20210226010750.GY5246@funkthat.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Dn1n84J1Lz4vpD X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=obluda.cz header.s=mffsubmission header.b=i7UMdSXs; dmarc=pass (policy=none) header.from=obluda.cz; spf=none (mx1.freebsd.org: domain of dan@obluda.cz has no SPF policy when checking 2001:718:1e03:801::4) smtp.mailfrom=dan@obluda.cz X-Spamd-Result: default: False [-3.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[obluda.cz:s=mffsubmission]; FREEFALL_USER(0.00)[dan]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:718:1e03:801::4:from:127.0.2.255]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[obluda.cz:+]; DMARC_POLICY_ALLOW(-0.50)[obluda.cz,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:718:1e03:801::4:from]; ASN(0.00)[asn:2852, ipnet:2001:718::/32, country:CZ]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2021 07:41:37 -0000 On 26.2.2021 2:07, John-Mark Gurney wrote: >> Third party CA's are an untrusted automagical nightmare of global and >> local MITM risk... > > Do you delete all the CA's from your browsers then? Yes, I'm cleaning them from browser, then I'm adding few CA as needed. Despite of it, I'm not on grarpamp's side. People are installing FreeBSD system on it's computer - it require a lot of trust. Most of users can trust even CA list that's part of FreeBSD system. And those paranoid users like me ? We will check pre-installed CA list all the times. We do it now and we will do it even in the future. Because we trust no one. So we don't care what's content of file in stock install. So I don't vote for grarpamp's proposal. It will decrease effective security of "standard user" and it will not help to the paranoid ones. But it would be nice to know how it works. What CA are included into distributed bundle ? Who is making the final decision ? What rules he is obliged to follow ? It should be documented somewhere. > Having tried to verify the certificate for a bank when verisign f'd > up their cert really doesn't work, trust me I've tried it, the > support has zero clue what you're talking about, and they have no > process to handle such a question... My bank have defined process you are speaking of here. I has been IT security officer of such bank and I defined process in question. For about ten years, there has been one (!) call asking verification of the certificate. And it has been call from my friend that has been curious to verify if it works ... Despite of it, it's not the argument related to the topic we are speaking of about. Certificates are just tool. It can be used properly or improperly. The proper use of tool depends on goal, so the goal needs to be discussed first. Dan