Linux Certificate Authority root stores have a too simple view of 'trust'

Summary

Linux systems have a 'system CA root store' that includes Mozilla's CA root store, which Mozilla is now partially distrusting the TrustCor CA certificates from. The traditional "CA root store" model is too limited for Unix systems, as it does not support nuanced trust decisions, such as trusting some certificates and not others. Linux distributions may choose to drop TrustCor completely, but they must be aware of the issue and make a decision. Once all TrustCor certificates issued before December 1st expire, the TrustCor roots will be removed from the Mozilla root store, which will then propagate to Linux distros.

Q&As

AI Comments

👍 This article provides a great overview of the nuanced trust decisions that need to be taken by Linux distributions when dealing with CA root stores.

👎 This article fails to provide a solution to the problem of Linux distributions trusting expired certificates for too long.

AI Discussion

Me: It talks about how Linux certificate authority root stores have a too simple view of trust. It mentions that many Linux distributions use Mozilla's CA root store, and that Mozilla (and Microsoft) are now distrusting the TrustCor CA certificates. It goes on to say that Linux systems are unable to handle this nuanced trust decision, and that most code that uses a 'CA root store' expects a 'root store' that contains a bunch of fully trusted CA certificates.

Friend: That's really interesting. It raises a lot of questions about how Linux systems manage trust.

Me: Definitely. It's a big issue because it could have implications for system security if Linux systems are not able to properly handle the nuances of trust. It's even more worrying when you consider that most code that uses a 'CA root store' doesn't have support for understanding these nuances.

Action items

• Research the TrustCor CA certificates and their implications for Linux systems.
• Explore the possibility of collecting additional trust information from the Mozilla root store and including it in Linux distributions' packages of root certificates.
• Investigate the lack of support for selectively distrusting CAs in modern TLS packages and libraries, and consider ways to address this issue.

Technical terms

Linux Certificate Authority (CA) root stores

A list of all CA root certificates that are trusted by default by most TLS-using software on Linux systems.

TrustCor CA certificates

Certificates issued by TrustCor, a Certificate Authority.

TLS

Transport Layer Security, a cryptographic protocol used to secure communications over the internet.

Fediverse

A decentralized social network, consisting of a large number of interconnected websites.

Mozilla root store

A list of root certificates that are trusted by Mozilla, the company behind the Firefox web browser.

Distrust for After Date

A marker in the Mozilla root store indicating that certificates issued by a particular Certificate Authority should not be trusted after a certain date.

CA root store

A list of root certificates that are trusted by default by most TLS-using software.

TLS packages

Software packages that provide Transport Layer Security.

Similar articles

0.7905599 >>> 2023-03-24 docker

0.78774923 Secrets Management

0.7813927 Humble begins a shift away from Mac and Linux support

0.776235 Exploring the internals of Linux v0.01

0.7748873 Making the case for trust growth; the pillars, the evidence you’ll need, and not losing sight of the bigger story