-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/06/2016 11:23 AM, Michael Catanzaro wrote:
Hi,
Is any important software (e.g. openssl, gnutls, glib-networking,
Qt) in Fedora still relying on our legacy 1024-bit root RSA
certificates?
I believe Fedora is currently the only distro currently shipping
these insecure root certificates. Originally, this was a good
choice (and big thanks to Kai Engert for making it happen) because
they were needed for compatibility with software using OpenSSL or
GLib sockets. Nowadays, I'm not aware of any software that still
needs them.
Since keeping these certificates around is a serious security
issue, I propose we remove them if nothing "important" still needs
them.
You can test if any of your software needs these certificates by
running 'sudo ca-legacy disable'.
Well, the problem was never software that Fedora was shipping. The
problem is Fedora *as a client*. There are unfortunately many websites
out there that are still signed by insecure certificates. We certainly
need to choose a sunset date to stop shipping those insecure CAs, but
unfortunately we can't force everyone in the world to switch to sane
certificates.
(Realistically, this won't change until 6-12 months after Google
Chrome, Microsoft Internet Explorer and Apple Safari all eliminate
those CAs). I don't have any information on if or when this will
happen, but that's just about the only way that website admins will
suddenly care enough to fix things.
(It would also be nice if the CA issuers would be kinder about just
reissuing existing certificates without a fee, but they aren't...)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlaNVUoACgkQeiVVYja6o6OnuACfUoTJvME2cRMBNIvDv4gEpy57
9HoAnAwSDYQU+wkDsBF/VeQMZ0QJcW8d
=qWyf
-----END PGP SIGNATURE-----