Should we drop the SSL certificate bundle?

Thu Aug 19 03:54:03 BST 2010

On Thursday, August 19, 2010 08:18:17 am Rolf Eike Beer wrote:
> I was wondering if we should just drop the SSL certificate bundle from kde.
Probably.

> Some thoughts I had about this:
> 
> -is there any policy written down when a certificate is accepted? I
> searched a bit for "kssl" bugs and found e.g. 175651 where one new root
> was accepted (but bug is still open for what reason?) and 219508 where
> there was no further action (ok, these bugs can not really be compared for
> themself, but you should get the idea). So: when do we accept a root
> certificate? Where is the policy written down? And who watches on this?
The rough policy is "Mozilla or IE", and they get added whenever I get enough 
enthusiasm to do so. I won't add certs unless the CA requests it (i.e. user 
request is not enough) - we can't ship certs without the copyright holder's 
approval. I also won't add certs with very short key length.
It isn't written policy - it was developed by George Staikos and handed down 
to me.
 
> -if the policy is just "do what at least 2 other browser vendors do" then
> why don't we get an agreement with e.g. Mozilla dudes to just use their
> store?
We could do that, but there are roots in our store that aren't in Mozilla for 
a combination of historical reasons.

> -every time I upgrade my KDE I have to re-add CAcert roots to my ssl store
> as the old one gets replaced (not to blame KDE so far). For a long time in
> KDE4 it was not possible to add new CAs to the users store (tracked by
> 162485 besides a ton of other stuff IIRC). Since all my boxes have the
> CAcert thing added to the global store I can not test right now. Maybe
> after 4.5.1.
There are two issues - what goes into the bundle we ship, and what else KDE 
can do with certs. I can only address the first one.
On the specific issue of CACert - it can go in if it meets the other criteria. 
No special treatment.
 
> I think I start to repeat to tell my positions from different angles. Ok,
> let's shorten this:
> 
> -do we have a policy for our certs? If yes, which one?
See above.
 
> -do we _really_ want to care? For Mozilla SSL/TLS is essential. For KDE
> software it's just a small part as we have so many libraries and
> applications in our stack.
I'd like to see it come from Qt (where our TLS comes from). Thiago was looking 
at this problem.
 
> When we do our own bundle we must do it really good, i.e. with extremely
> careful checking of what we add, strict policy, you name it. Otherwise it's
> just not worth the effort IMHO.
I'm not sure if this is a criticism or not. Do you have a problem with 
anything I've added?
 
> Isn't it enough if we just rely on the global store? For Un*x system that
> should be really easy, the distributor just has to change the path of the
> default kssl store to the global one and is done. For Windows, well, I
> don't know. Probably not that straightforward. In doubt the distributor
> (the KDE windows team in this case) still would have the option to just
> grab any randomly (or more carefully) chosen root store (e.g. the Mozilla
> one, the Debian one, the what-do-I-know one) and deliver that.
They still have this option.

Brad