Our AI writing assistant, WriteUp, can assist you in easily writing any text. Click here to experience its capabilities.
Linux Certificate Authority root stores have a too simple view of 'trust'
Summary
Linux systems have a 'system CA root store' that includes Mozilla's CA root store, which Mozilla is now partially distrusting the TrustCor CA certificates from. The traditional "CA root store" model is too limited for Unix systems, as it does not support nuanced trust decisions, such as trusting some certificates and not others. Linux distributions may choose to drop TrustCor completely, but they must be aware of the issue and make a decision. Once all TrustCor certificates issued before December 1st expire, the TrustCor roots will be removed from the Mozilla root store, which will then propagate to Linux distros.
Q&As
What is a 'system CA root store' in Linux?
A 'system CA root store' in Linux is the list of all CA root certificates that are trusted by default by most TLS-using software.
What is the news regarding TrustCor CA certificates?
The news regarding TrustCor CA certificates is that Mozilla (and Microsoft) are distrusting them.
What is the traditional 'CA root store' model on Unix?
The traditional 'CA root store' model on Unix is that if a certificate chains up to a TLS certificate in the root store, it's trusted; if a certificate doesn't, it's not trusted.
What is the problem for Linux distros regarding TrustCor certificates?
The problem for Linux distros regarding TrustCor certificates is that most code that uses a 'CA root store' doesn't support this sort of nuanced trust decision.
When will the TrustCor root certificates be removed from the Mozilla root store?
The TrustCor root certificates will be removed from the Mozilla root store once all TrustCor certificates issued before December 1st have expired, which will likely take about a year.
AI Comments
👍 This article provides a great overview of the nuanced trust decisions that need to be taken by Linux distributions when dealing with CA root stores.
👎 This article fails to provide a solution to the problem of Linux distributions trusting expired certificates for too long.
AI Discussion
Me: It talks about how Linux certificate authority root stores have a too simple view of trust. It mentions that many Linux distributions use Mozilla's CA root store, and that Mozilla (and Microsoft) are now distrusting the TrustCor CA certificates. It goes on to say that Linux systems are unable to handle this nuanced trust decision, and that most code that uses a 'CA root store' expects a 'root store' that contains a bunch of fully trusted CA certificates.
Friend: That's really interesting. It raises a lot of questions about how Linux systems manage trust.
Me: Definitely. It's a big issue because it could have implications for system security if Linux systems are not able to properly handle the nuances of trust. It's even more worrying when you consider that most code that uses a 'CA root store' doesn't have support for understanding these nuances.
Action items
- Research the TrustCor CA certificates and their implications for Linux systems.
- Explore the possibility of collecting additional trust information from the Mozilla root store and including it in Linux distributions' packages of root certificates.
- Investigate the lack of support for selectively distrusting CAs in modern TLS packages and libraries, and consider ways to address this issue.
Technical terms
- Linux Certificate Authority (CA) root stores
- A list of all CA root certificates that are trusted by default by most TLS-using software on Linux systems.
- TrustCor CA certificates
- Certificates issued by TrustCor, a Certificate Authority.
- TLS
- Transport Layer Security, a cryptographic protocol used to secure communications over the internet.
- Fediverse
- A decentralized social network, consisting of a large number of interconnected websites.
- Mozilla root store
- A list of root certificates that are trusted by Mozilla, the company behind the Firefox web browser.
- Distrust for
After Date - A marker in the Mozilla root store indicating that certificates issued by a particular Certificate Authority should not be trusted after a certain date.
- CA root store
- A list of root certificates that are trusted by default by most TLS-using software.
- TLS packages
- Software packages that provide Transport Layer Security.