Interesting suggestion
Interesting suggestion
Posted Aug 31, 2025 22:04 UTC (Sun) by SLi (subscriber, #53131)Parent article: Linux's missing CRL infrastructure
https://github.com/openssl/openssl/issues/28186#issuecomm...
Basically, it suggests that the only reasonable way ahead could be to build some cooperation in how distros do this: Currently there are apparently three ca-certificate distro packages (Fedora, OpenSuse, Debian), all somehow derived from the Mozilla certificate packs. And Mozilla "apparently" doesn't want to be the upstream, and there's a cryptic (but I trust warranted) "Definitely do not pick Debian's".
All this sounds to me like there's some mapping to be done in the social space. Things that are quite nonobvious to me:
1. In what way are the Mozilla specific attributes critical for security (as mentioned in the article, that stripping them is insecure)?
2. What do the three distros do differently, and why? I'd hope the maintainers even talk informally every now and then, although apparently a mid-stream "adapted from Mozilla" project does not exist.
3. What does it mean that Mozilla, allegedly, doesn't want to be the upstream? Probably that their focus is Firefox and other Mozilla products. Hopefully not that they'd go to much lengths to sabotage anything. Could beneficial-to-everyone solutions exist?
And, of course, that still leaves the question of whether this realistically solves things that are not solved by shorter certificate lifetimes. I'd certainly hope so, because 47 days is a long time, but the reality seems to be messy.
(There was also a suggestion of p11-kit as a possible upstream in an earlier comment in that issue. I have little idea what that even is.)