Package shipping their own CA and security
Michael Scherer
misc at zarb.org
Fri Feb 8 17:42:13 UTC 2013
Le vendredi 08 février 2013 à 16:54 +0100, Miloslav Trmač a écrit :
> Hello,
> On Fri, Feb 8, 2013 at 12:41 PM, Michael Scherer <misc at zarb.org> wrote:
> >
> > - ban all certificates if used to validate something.
> I think this is too strict; there may be legitimate cases of
> service-specific CAs; there even are projects that use the X.509
> certificate format for something completely unrelated to the global CA
> universe. Requiring an exception or an independent review may be
> fine.
Of course, when i mean "ban all", I mean "unless exceptions".
And finding those potential exceptions is also one reason to have this
thread :)
> > We cannot automate that test, since private key and certificates are
> > often used in tests suite. And as long as this is just used for testing
> > purpose, the certificate should be ok.
> Wouldn't this be handled by only checking the binary packages, and
> allowing private keys/certificates in SRPMs? Shipping test suites is
> usually not that valuable (... speaking as an owner of a package that
> does ship a test suite :) It will be dropped soon).
Usually, the test end in %doc, so maybe that's something that can be
used. Sometimes, that's also used as example ( see the various perl
modules shipping a cert ). Even if I can imagine people using the
example to setup a service and end with a non private key. Not sure if
we whould prevent that or just let darwin do his job...
> If people want to look at
> > affected packages, there is
> > # yum whatprovides '*pem'
> That's quite a few :( Don't forget about other formats - .der, .p12
> at least; possibly also the native NSS and Java formats.
I will add .dev and .p12. For the native formats, I am not a certificate
specialist, so I will have to look and see what can be done.
--
Michael Scherer
More information about the devel
mailing list