After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 376925 - cacert.org root certificate inclusion
cacert.org root certificate inclusion
Status: RESOLVED NOTGNOME
Product: epiphany
Classification: Core
Component: [obsolete] Backend:Mozilla
unspecified
Other All
: Normal enhancement
: ---
Assigned To: Epiphany Maintainers
Marco Pesenti Gritti
Depends on:
Blocks:
 
 
Reported: 2006-11-19 10:07 UTC by Allison Karlitskaya (desrt)
Modified: 2011-03-09 20:09 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Allison Karlitskaya (desrt) 2006-11-19 10:07:14 UTC 
i'd have thought that, for sure, this bug would exist.  after much searching, i am unable to find it.

epiphany should include the cacert.org root certificate.  the reasons for doing so are explained in this well-written mozilla bug report and many of its comments:

https://bugzilla.mozilla.org/show_bug.cgi?id=215243

in comment #20 of that bug report, Frank Hacker <hecker@mozilla.org>, who claims to be "the person tasked with developing the mozilla.org policy on inclusion of root CA certs" approves the inclusion (2 and a half years ago!) but there has been considerable foot-dragging and objections from the person who would actually implement the change.

the bug, of course, reads as a detailed argument over the merits of ssl security and exactly what it means to have a signed certificate.  the main point that i get from the argument is that if firefox carried the cacert certificate and internet explorer did not, then it would be very bad press for firefox should cacert be compromised.

i believe that this argument applies somewhat less strongly to epiphany because (like it or not) epiphany isn't nearly as high-profile as firefox is and is not currently being presented to the computing world on large as "the secure alternative to internet explorer".
Comment 1 Allison Karlitskaya (desrt) 2006-11-19 10:10:47 UTC 
i just realised that the report sounds a bit like "epiphany doesn't have to worry about security".

i should have mentioned, of course, that the possibility of a cacert compromise is  remote (no worse than any of the other certification authorities) and that other authorities have had compromises in the past (social engineering to obtain false certificates, etc) and we're still using them.
Comment 2 Christian Persch 2006-11-19 12:50:29 UTC 
I don't think there's a way for epiphany to add new root certificates... the built-in ones are built into some nss library at nss build time, afaik.
Comment 3 Allison Karlitskaya (desrt) 2006-11-19 23:37:28 UTC 
for what it's worth, i had to add the cacert certificate separately in firefox and ephy.

i first assumed that adding it in firefox would automatically add it in ephy - not true.

i think we can safely assume that adding it in ephy[1] has no effect on firefox.

in this way, the certificates supported by ephy and firefox appear to be entirely independent.  it's clearly also possible for ephy to add certificates.




[1] to add it in ephy i used the "certificates" extension.  this extension brings up a rather ugly-looking (clearly firefox-based) dialog to allow adding the certificates so it's probably more like ephy tells firefox to add a certificate to the user's custom mozilla configuration for ephy.  i don't see why this couldn't be done automatically.
Comment 4 Allison Karlitskaya (desrt) 2006-11-19 23:41:12 UTC 
the file where the certificate gets stored is ~/.gnome2/epiphany/mozilla/epiphany/cert8.db

cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Comment 5 Christian Persch 2006-11-20 13:37:25 UTC 
That just adds the certificate to the user's profile, not to the built-in store that will be used by new profiles/users.

I have no way to evaluate the CA's policy and cannot determine whether it's suitable for inclusion. Given that the ones responsible for this on the mozilla side have not yet included this cert, I think epiphany should not include it, too.

Personally, I don't think epiphany should get into the 'let's add some CAs' business at all, and just use the builtin NSS set of CAs.

However, epiphany should have a way for a site admin to add some CAs to each user profile for site-wide deployments; if you want we can morph this bug into that.
Comment 6 Allison Karlitskaya (desrt) 2006-11-20 16:45:00 UTC 
cacert.org is a very special case.
Comment 7 Sam Morris 2009-09-28 11:22:21 UTC 
Out of interest, who decides which CA certificates are included in webkit?
Comment 8 Dan Winship 2009-09-28 12:56:29 UTC 
WebKit doesn't include certs, it just depends on what the platform libraries do. In 2.28, libsoup, by default, trusts everything. It is likely that in 2.30 this will be changed to be based on gsocket and the as-yet-unwritten gsocket tls code (bug 588189) which will allow using some system CA file. On Fedora at least, the "system CA file" would be /etc/pki/tls/certs/ca-bundle.crt, which is generated from the mozilla sources. So...
Comment 9 Gustavo Noronha (kov) 2011-03-09 20:09:08 UTC 
I'll take the risk of being flamed and mark this as not GNOME. As Dan mentioned, Epiphany/WebKitGTK+ will trust whatever libsoup trusts, and libsoup trusts in whatever your system trusts, so adding ca-cert.org to the default list sounds like something the distributions will need to handle through or despite Mozilla's default certificates.