OpenWrt and self-signed certificates
OpenWrt and self-signed certificates
Posted Nov 19, 2020 1:40 UTC (Thu) by tialaramex (subscriber, #21167)Parent article: OpenWrt and self-signed certificates
Certificate Authorities in the Web PKI have to obey not only the CA/B Baseline Requirements but the policies of each major root trust store, ie Microsoft, Apple, Google† and most importantly for us, Mozilla. The intent of the BRs is that they encapsulate a coherent subset of these policies to try to avoid cases where the root store policies are contradictory - though they're perhaps not always successful for various reasons - but they do not now and never have replaced or subsumed the root store policies.
Mozilla policy does exempt certain types of technically constrained subordinate _but_ not in a way that's useful to OpenWrt here and that's intentional. All of the Web PKI is covered and OpenWrt wants Web PKI certificates so that they work in a browser. So e.g. all of Mozilla policy 3.1 on audits would apply to this subordinate. In practice it would have to live at the root CA's facilities on hardware they control or the liability concerns would be unbearable for them.
It is true however that OpenWrt is far from alone in having this problem. There are groups trying to figure out a way forward that would both be acceptable to the OS and browser vendors (so it works in your browser) and to those who make devices and firmware. This is a good time for somebody from OpenWrt to go out and talk to people in that space, and put OpenWrt's weight behind approaches that would suit them specifically before momentum is established on one route forward.
† Historically Google's popular Chrome browser did not have its own root store, but Android and Chrome OS did, however this is now changing, all Google products (except on iOS where Apple decides how everything works) will move to their own root store in the coming months.