All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Gentoo has just removed all WoSign and StartCom root certs entirely
https://bugs.gentoo.org/show_bug.cgi?id=598072
Apparently mr. Lars didn't actually read what's the Mozilla decision was all about, or had troubles understanding it, in any case, seeing "ooh ooh wosing bad, stratcom bad", went and hacked out both companies' certs entirely from their cert package -- which is a much more user disrupting action than what Mozilla has decided to do (i.e. stop trusting only NEW certs, not ALL of them).
I am actually switching back most of my sites to WoSign right now (using my original certs from 2015), let's give Gentoo users the chance to enjoy red screens of untrusted certificate on as much sites as possible in their browsers, if the distro they use is run by incompetent developers who think they must be holier than the pope, then that's what they basically deserve.
Comments
Oh damn, that is NOT good.
There's a compiling joke somewhere in here, I can feel it.
Francisco
Companies who sell certificates for money just lobby it. They don't want free deals. It's simple. Easiest method revoke by browser owners
Yeah, they started the action to rebuild the trusts and remove WoSign 18 days ago.
I don't know, this is a very valid reason:
Aside from that, any CA store distributor is free to untrust roots. Given the clusterfuck that StartCom/WoSign have made of it, and the fact that they've been caught backdating certificates, I don't necessarily consider this a "wrong" decision.
Well, this does affect the entire remaining user base of Gentoo, which is probably upwards of twelve people at this point.
Lol, i was thinking the same who even still uses Gentoo
I don't see anything wrong with this. Those CA's really fucked up, I'd rather not have them trusted.
What I see wrong with this is that a decision affecting all of the distro's users is taken arbitrarily by one person, without any kind of process, discussion or consensus, there's not even any attempt to justify it, and the decision itself ends up being way more problematic for people than what Mozilla (after lenghty public discussions) have decided to enact.
Moreover what Gentoo done just reeks of being the easiest and the most mindless knee-jerk reaction you could have, without any concern for side effects or consequences. And since long ago I've witnessed this kind of behavior from some devs (like that one), a disease of "hardenitis of the brain", i.e. boneheadedly trying to go for the most locked down and "uber hardened" system possible, even if the end result is next to unusable (SELinux, anyone?)
I do use Gentoo for some webservers
That's a problem of the CA system, not of this incident.
There was. I just quoted it.
That depends on how you define "problematic". Visibly problematic? Sure, but does that really trump invisible security problems?
What problems? For Mozilla after careful consideration and tons of first-hand experience in investigating this, it was enough to just block new certs -- will you argue they don't act in the users' best interests? But this guy on it's own has simply decided otherwise.
And the breakage is already happening, actually the way I found out about this, is someone using Gentoo told me their RSS reader stopped working -- on a rather major news website that they read. And then in the bug comments people post that www.gnome.org no longer opens. But perhaps the most hilarious of it all, the "EVIDENCE" that the reporter links to, is a discussion hosted on www.mail-archive.com, which ALSO uses a cert from StartCom! Ya, remember, StartCom is not just about "those shoddy free certs", they also had services at $60, $200/year, and used by lots of actual important websites that people need. And now all of those are broken for all Gentoo users -- even including all the certs they issued before being acquired by (gasp) "THE CHINESE".
For the second time: I've already quoted it. The problems are explained quite clearly:
wosign no longer provide free certs :P
Then why not add a finer-grained system-wide trust control. As I said just pulling the plug entirely is surely the easiest knee-jerk, but certainly not a justifiable choice in this case.
Because applications don't support this. Not only would it be a massive effort to implement such a change in all TLS libs that use the CA roots (as a distro vendor), it would also be an extremely dangerous change - doing it wrong could completely break the integrity of the TLS stack, like with any crypto code.
You're essentially proposing a distro patch to OpenSSL, LibreSSL, BoringSSL, GnuTLS, and every other TLS thing that's shipped with Gentoo. And that's not even covering the applications that don't rely on the system-wide TLS implementation, and ship their own.
What they are doing now, while annoying, is simply the safer option.
They don't even need to, as all SSL is done via the two libraries they list anyways.
Sure a distro patch adding things is a tad more complex than a distro patch breaking things.
How has it been working out for you?
They don't even need to, as all SSL is done via the two libraries they list anyways.
Almost nothing uses NSS (which, to my knowledge, is the only library where the notBefore restriction is implemented), and there are definitely more libraries in use than just OpenSSL. So no, that's not sufficient to cover all applications.
Not Before is checked by all libraries implementing SSL, to not allow for certs dated in the future. (set your date/time to year 2000, and observe how nothing works).
On most GNU/Linux systems (just checked some of mine) it's OpenSSL, GnuTLS and wrappers on top of either of those. Even considering systems which use LibreSSL or BoringSSL, those are just forks of OpenSSL, so it all can be tracked back to just two codebases.
You know nothing Jon Snow.
It will take time until Gentoo users will compile it on their own, seems to be not a problem for me :-P
That does not extend to the special restrictions put in place by browsers in this incident.