Should we drop the SSL certificate bundle?

Rolf Eike Beer kde at
Wed Aug 18 23:18:17 BST 2010


I was wondering if we should just drop the SSL certificate bundle from kde. 
Some thoughts I had about this:

-is there any policy written down when a certificate is accepted? I searched a 
bit for "kssl" bugs and found e.g. 175651 where one new root was accepted (but 
bug is still open for what reason?) and 219508 where there was no further 
action (ok, these bugs can not really be compared for themself, but you should 
get the idea). So: when do we accept a root certificate? Where is the policy 
written down? And who watches on this?

-if the policy is just "do what at least 2 other browser vendors do" then why 
don't we get an agreement with e.g. Mozilla dudes to just use their store?

-every time I upgrade my KDE I have to re-add CAcert roots to my ssl store as 
the old one gets replaced (not to blame KDE so far). For a long time in KDE4 
it was not possible to add new CAs to the users store (tracked by 162485 
besides a ton of other stuff IIRC). Since all my boxes have the CAcert thing 
added to the global store I can not test right now. Maybe after 4.5.1.

-I just played with kontact-mobile on my N900. As usual I got the warning 
about an unknown certificate. It's just like on any other platform: you import 
$cert into Mozilla (twice if you are lame enough to also use Thunderbird), 
once into the global store and once for KDE.

I think I start to repeat to tell my positions from different angles. Ok, 
let's shorten this:

-do we have a policy for our certs? If yes, which one?

-do we _really_ want to care? For Mozilla SSL/TLS is essential. For KDE 
software it's just a small part as we have so many libraries and applications 
in our stack.

When we do our own bundle we must do it really good, i.e. with extremely 
careful checking of what we add, strict policy, you name it. Otherwise it's 
just not worth the effort IMHO.

Isn't it enough if we just rely on the global store? For Un*x system that 
should be really easy, the distributor just has to change the path of the 
default kssl store to the global one and is done. For Windows, well, I don't 
know. Probably not that straightforward. In doubt the distributor (the KDE 
windows team in this case) still would have the option to just grab any 
randomly (or more carefully) chosen root store (e.g. the Mozilla one, the 
Debian one, the what-do-I-know one) and deliver that.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the kde-core-devel mailing list