RFC: root cert tool

Paul Millar p.millar at physics.gla.ac.uk
Wed Aug 15 13:44:32 CDT 2007 

Hi Juan,

Sorry I was going to reply earlier but was distracted...

On Wednesday 15 August 2007 00:08:23 Juan Lang wrote:
> Since there wasn't a clear consensus about how to get CA certificates
> into the registry, I decided to do what Mono does:  punt.  So I've
> written a tool that can load certificates from a file or from a URL
> and stick them in the registry.

Ta.  I've had a quick look.  A couple of minor comments:

You might want to include "BEGIN TRUSTED CERTIFICATE" as an option when 
parsing PEM-format files.  All the root CAs I've seen don't use this, but 
apparently its a possibility.

Also, OpenSSL (but unfortunately not GnuTLS) can scan a directory, loading all 
files like <serial>.0 (e.g. "a87d9192.0").  Adding support for something like 
that might be useful, but certainly not urgent.

> By default it assumes you want to download them from Mozilla's CVS
> front-end, and does so.
>
> A patch that adds it is attached.  Comments?

Hmmm, I think we could do better than downloading from an static (well-known) 
URL.

As Jan Zerebecki put it:
> The problem with that is that what we want to download here are
> certificates. So for them to be of good use one needs to obtain
> them in a way so that the trust chain doesn't break too much.

Exactly.  This is one of the big problems with PKI: obtaining the CA root 
certificates.  In general, it's impossible to do this reliably using just the 
Internet: some out-of-bound traffic (Phone, FedEx?) is needed to establish 
the trust.

> The easiest way to get that is by distributing them with the
> normal source (and thus also with the distribution specific
> packages). Those are usually signed.
[...]

One of the nice features of git (if I've understood correctly) is it's 
cryptographic internal consistency checks: if one trusts the first SHA-1 hash 
then all subsequent git-objects can be verified: you know the tree is always 
as Alexandre intended.

There's still the problem of how can Alexandre know that the CA Root 
certificates on his hard disk are valid.  This would require CDROM+FedEx (or 
similar).

However, by distributing the CA root certs via git, we can verify them 
independently (by use, if nothing else).  This effectively pushes the 
possible Man-in-the-Middle attack back to somewhere upstream of the last 
common component of the set of tester's network.  Given a sufficiently large 
set of testers, this is the CA website itself.  Probably "good enough".

Just my 2c worth :-)

Cheers,

Paul.

More information about the wine-devel mailing list