Skip Menu |
 

This queue is for tickets about the Mozilla-CA CPAN distribution.

Report information
The Basics
Id: 70967
Status: open
Priority: 0/
Queue: Mozilla-CA

People
Owner: Nobody in particular
Requestors: thoger [...] redhat.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Wed, 14 Sep 2011 18:46:00 +0200
To: bug-Mozilla-CA [...] rt.cpan.org
From: Tomas Hoger <thoger [...] redhat.com>
Download (untitled) / with headers
text/plain 707b
Hi! cacert.pem in the latest Mozilla-CA version (20110904) seems to have been generated with old mk-ca-bundle.pl that is unable to cope with untrusted certificates from certdata.txt. You should really be using current version that is able to skip those CAs that are imported to nss/mozilla bundle flagged as untrusted: https://github.com/bagder/curl/commit/809cde54166f959cdc84359306b4db22bb3f4c12 Changelog for the 20110904 says: - Remove and distrust DigiNotar seems to refer to: https://github.com/gisle/mozilla-ca/commit/842a12430b4e99c1caeb64340136d03c6dfb7280 which removes DigiNotar cert, re-adds it and also re-adds all other DigiNotar intermediates that nss/mozilla has as untrusted. th.
Download (untitled) / with headers
text/plain 154b
I've updated the mk-ca-bundle script and reran ./update-cacert-file and pushed the result back to github. Ask, do you want to push another CPAN release?
Download (untitled) / with headers
text/plain 332b
Yikes. Thanks Thomas. I was wondering about them being in the certdata.txt file, the change log from mozilla wasn't really clear to me so I thought "this certificate isn't really trusted" was encoded in the base64 data; but thinking about it now that was pretty dumb! Thank you again. I'll push a new release to CPAN shortly.
Subject: Re: [rt.cpan.org #70967] Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Mon, 26 Sep 2011 09:50:47 +0200
To: bug-Mozilla-CA [...] rt.cpan.org
From: Tomas Hoger <thoger [...] redhat.com>
Download (untitled) / with headers
text/plain 358b
Hi! An FYI, mk-ca-bundle.pl got another update that makes it skip CAs that are marked as trusted for issuing email and/or code signing certificates in NSS, but are not marked as trusted or explicitly untrusted for server identification certs in the NSS builtins database. https://github.com/bagder/curl/commit/cd3cf55b47332769a0e737feb9c5a6d48dce5de9 th.
Subject: Re: [rt.cpan.org #70967] Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Sun, 9 Oct 2011 00:00:50 -0700
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
Download (untitled) / with headers
text/plain 779b
On Sep 26, 2011, at 0:50, Tomas Hoger via RT wrote: Show quoted text
> > An FYI, mk-ca-bundle.pl got another update that makes it skip CAs > that are marked as trusted for issuing email and/or code signing > certificates in NSS, but are not marked as trusted or explicitly > untrusted for server identification certs in the NSS builtins database. > > https://github.com/bagder/curl/commit/cd3cf55b47332769a0e737feb9c5a6d48dce5de9
Thanks Tomas! I added that to Mozilla::CA, too. I didn't make a release yet; can you glance over the changes to the CA file and confirm that it looks right? There are several of the certificates that I'd have expected from the name etc to be good that got removed. https://github.com/gisle/mozilla-ca/commit/9db65fdee937b6c74f73c16b7524e1c32b50e43c - ask
Subject: Re: [rt.cpan.org #70967] Mozilla::CA - do not add untrusted CAs from mozilla certdata.txt to cacert.pem
Date: Sun, 9 Oct 2011 19:45:27 +0200
To: bug-Mozilla-CA [...] rt.cpan.org
From: Tomas Hoger <thoger [...] redhat.com>
Download (untitled) / with headers
text/plain 1.9k
On Sun, 9 Oct 2011 03:00:58 -0400 ask@perl.org via RT wrote: Show quoted text
> I added that to Mozilla::CA, too. I didn't make a release yet; can > you glance over the changes to the CA file and confirm that it looks > right? There are several of the certificates that I'd have expected > from the name etc to be good that got removed. > > https://github.com/gisle/mozilla-ca/commit/9db65fdee937b6c74f73c16b7524e1c32b50e43c
As mentioned in my previous email, all those certificates that got removed when updated mk-ca-bundle.pl was used are not marked as trusted for issuing server identifications certs in NSS (see CKA_TRUST_SERVER_AUTH for relevant certs). If the purpose of Mozilla::CA is to provide a cert bundle to be used by SSL clients to check server SSL certificates, there should be no need to include CAs that should only issue email or code signing certs. I have double checked CAs removed in the above commit to confirm that they are trusted for email or code signing only. One exception is "UTN-USER First-Network Applications", which does not seem to be trusted for either of the uses in NSS. My guess is the removal of Verisign CAs raised the concerns, so I checked those against: https://www.verisign.com/support/roots.html Verisign Class 1 Public Primary Certification Authority This root CA is used today to sign all Class 1e-mail certificates. Verisign Class 2 Public Primary Certification Authority retired Verisign Class 1 Public Primary Certification Authority - G2 retired Verisign Class 2 Public Primary Certification Authority - G2 This root CA is used today to sign Class 2 client certificates issued through VeriSign's Managed PKI Service. Verisign Class 1 Public Primary Certification Authority - G3 This root CA will be used today to sign all Class 1e-mail certificates starting in Q4 2010 Verisign Class 2 Public Primary Certification Authority - G3 This root CA is used today to sign Class 2 client certificates issued through VeriSign's Managed PKI Service. th.
Thanks again Thomas, this has been released as 20111025.
Download (untitled) / with headers
text/plain 211b
On Tue Oct 25 02:46:11 2011, ABH wrote: Show quoted text
> Thanks again Thomas, this has been released as 20111025.
Gah, also thanks to Tomas. You'd think with my name I'd know to be more careful spelling other peoples names!


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.