On Tue, 2014-09-09 at 10:34 +0200, Nikos Mavrogiannopoulos wrote:
On Mon, 2014-09-08 at 23:26 -0700, Adam Williamson wrote:
> On Mon, 2014-09-08 at 09:00 -0500, Michael Catanzaro wrote:
> > On Mon, 2014-09-08 at 10:06 +0200, Nikos Mavrogiannopoulos wrote:
> > > Unfortunately only NSS works. Both openssl and gnutls fail to connect to
> > > popular sites because of that change. It should not be assumed that the
> > > users of ca-certificates are only programs using nss.
> >  is an interesting read. I get the impression that certificates are
> > being removed as long as there is a compatible replacement that NSS can
> > validate, based on NSS's custom strategies for certificate validation.
> > Is this claim accurate?
> "Custom strategies" is an interesting concept. AFAICS, the TLS standard:
> does not exactly define 'standard' certificate verification strategies,
> so in a sense, they're *all* "custom". In other words, we're in
> Standard Ambiguity Land here. What that doc has to say about chains,
> AFAICS, is:
You are referring to wrong document. Certificate validation is outside
the scope of TLS, and as you already notice it only mentions the format
of the chain and nothing more. A Certificate Path validation algorithm
is defined in RFC5280 by the PKIX working group which is (or was) the
relevant group for X.509 certificates in IETF.
Ah, indeed, missed that one. Thanks.
So it may be that everyone uses a slightly different verification
algorithm, but we should expect at least the base-line to work. We
should not require software to be NSS.
I think you're making a good point, but possibly too strongly...the
ca-certificates folks are just trying to keep the database strong, it's
not as if they set out to 'require software to be NSS'. As I mentioned,
the folks maintaining the ca-certificates package are the same folks
behind the Shared System Certificates feature -
required a whole chunk of work to get the major TLS engines using the
same certificate store; they're certainly not unfamiliar with openssl
and gnutls, I don't think. The database uses NSS's certificate list as
its starting point because it's the strongest contender for such a role,
Your report has already been taken up for action, it appears:
"I think Symantec should reach out to Amazon, and potentially to other
customers, too, and suggest to remove intermediates from their server
configurations that point to these old roots."
"Brian, thanks for the pointer. I will work with our team to see about
getting our cert chains updated for S3. Leaving in needinfo until I
have more data." (from an Amazon employee)
so...it seems like wheels are in motion. Note that the updates for both
F19 and F20 are still in u-t and have not been pushed stable yet...as
Kai explicitly sent the update to u-t with a high auto-push threshold
and sent this email out to ask people to report cases where it caused
problems, I'd say things are working out more or less as intended,
you've raised an issue and it's being dealt with.
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net