[ubuntu-hardened] SSL Trust across components
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Mar 6 12:12:07 UTC 2020
On 2020-03-06 3:00 a.m., Christian Ehrhardt wrote:
> Hi Security people,
> There is a bug [1] lingering for a while since it is more a security design
> question for Ubuntu than a technical problem. There are a few people from the
> Community discussing from their POV but the server Team often has to back-out
> for being unsure about the actual "security aspects" of this.
> Is it safe, is it good, are there drawbacks ...
>
> A while ago I subscribed ubuntu-security but I might have not pushed hard enough
> to get a response. I want to rekindle this topic by reaching out on the ML (and
> to Joe) and wanted to ask if you could assign someone from security to take a
> deeper look at what/if we'D want to do about it.
>
> After 20.04 is probably a good time to do such a change, so now is the time to
> discuss ...
>
> P.S. I'd have tried to catch you on the sprint, but since that failed let's mail
> about it ...
>
> [1]: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285
>
This has long been a sore point in Linux distros. I think it would be a good
idea, though the amount of work required to do so is quite high. At least the
following crypto engines would need to be configured or modified to use a
central CA store:
- Openssl
- GnuTLS
- NSS
- NSS bundled with Firefox
- Whatever engine is bundled with Chromium these days
We would need to get Mozilla's permission to modify the NSS bundled with Firefox.
I'm also unsure what will happen with snaps.
Marc.
More information about the ubuntu-hardened
mailing list