Web lists-archives.com

Re: gpg ca-cert-file=[which file???]




On 7/16/17, René Berber wrote:
> On 7/16/2017 11:38 AM, Lee wrote:
>
> [snip]
>>   ok... man update-ca-trust
>>   FILES
>>      /etc/pki/tls/certs/ca-bundle.trust.crt
>>         Classic filename, file contains a list of CA certificates in
>> the extended BEGIN/END TRUSTED CERTIFICATE file format,
>>         which includes trust (and/or distrust) flags specific to
>> certificate usage. This file is a symbolic link that refers
>>         to the consolidated output created by the update-ca-trust
>> command.
> [snip]
>> It looks like there's some certs in
>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt that I don't
>> want to trust.. but how to tell which ones & how to set
>> distrust/blacklist trust flags on them?  or maybe I need to copy them
>> to /etc/pki/ca-trust/source/blacklist/ ???
>>
>> Anyone have any pointers on how to distrust certs in
>> ca-bundle.trust.crt (assuming that _is_ the file I should be using) or
>> even how to show exactly what's in there?
>> $ grep "#" ca-bundle.trust.crt
>>  shows lots of comments but
>> $ openssl x509  -in ca-bundle.trust.crt -noout -subject -dates
>>  just shows me the first cert :(
>
> You should refer to the package announcement, and direct any questions
> about the package (not about its use) to its maintainer.

I came across this when looking for the ca-certificates package announcement:
  https://cygwin.com/ml/cygwin/2013-05/msg00385.html
it's from 2013:
    It has been brought to my attention that gnutls does not seem to be
    configured to use ca-certificates by default. This can be enabled by
    adding --with-default-trust-store-file=/usr/ssl/certs/ca-bundle.crt to
    configure flags

I'm still not clear about which trust store I should be using -
ca-bundle.crt or ca-bundle.trust.crt

> As I understand the package is just a bundle of the files distributed by
> Mozilla (which is the maintainer of the root certs).  For questions
> about those files, its contents, or its use... refer to Mozilla.

As far as I can tell, Mozilla thinks using their trust store for
anything other than firefox is out of scope - eg:
  https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/NHW4JA6xoAY
    mozilla.dev.security.policy ›
    Configuring Graduated Trust for Non-Browser Consumption


> Actually Mozilla distributes one file, which is then processed to create
> all the files that you see.
>
> The link you show to Mozilla about the trust on CNNIC also points out
> that the exception is made in code (i.e. hard-coded), and if you look
> above it clearly states: "The status of whether a root is approved to
> issue EV certificates or not is stored in PSM rather than certdata.txt",
> this certdata.txt is precisely the file I'm talking about above, so
> don't expect any of those Extended Validation changes to be present (and
> you can ask Mozilla why they do it in code, instead of in the certs).

I don't care about EV right now.  I don't want to trust any
certificate issued by CNNIC & a few other CAs.  How do I do that?

Thanks
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple