GNOME Bugzilla – Bug 376925
cacert.org root certificate inclusion
Last modified: 2011-03-09 20:09:08 UTC
i'd have thought that, for sure, this bug would exist. after much searching, i am unable to find it. epiphany should include the cacert.org root certificate. the reasons for doing so are explained in this well-written mozilla bug report and many of its comments: https://bugzilla.mozilla.org/show_bug.cgi?id=215243 in comment #20 of that bug report, Frank Hacker <hecker@mozilla.org>, who claims to be "the person tasked with developing the mozilla.org policy on inclusion of root CA certs" approves the inclusion (2 and a half years ago!) but there has been considerable foot-dragging and objections from the person who would actually implement the change. the bug, of course, reads as a detailed argument over the merits of ssl security and exactly what it means to have a signed certificate. the main point that i get from the argument is that if firefox carried the cacert certificate and internet explorer did not, then it would be very bad press for firefox should cacert be compromised. i believe that this argument applies somewhat less strongly to epiphany because (like it or not) epiphany isn't nearly as high-profile as firefox is and is not currently being presented to the computing world on large as "the secure alternative to internet explorer".
i just realised that the report sounds a bit like "epiphany doesn't have to worry about security". i should have mentioned, of course, that the possibility of a cacert compromise is remote (no worse than any of the other certification authorities) and that other authorities have had compromises in the past (social engineering to obtain false certificates, etc) and we're still using them.
I don't think there's a way for epiphany to add new root certificates... the built-in ones are built into some nss library at nss build time, afaik.
for what it's worth, i had to add the cacert certificate separately in firefox and ephy. i first assumed that adding it in firefox would automatically add it in ephy - not true. i think we can safely assume that adding it in ephy[1] has no effect on firefox. in this way, the certificates supported by ephy and firefox appear to be entirely independent. it's clearly also possible for ephy to add certificates. [1] to add it in ephy i used the "certificates" extension. this extension brings up a rather ugly-looking (clearly firefox-based) dialog to allow adding the certificates so it's probably more like ephy tells firefox to add a certificate to the user's custom mozilla configuration for ephy. i don't see why this couldn't be done automatically.
the file where the certificate gets stored is ~/.gnome2/epiphany/mozilla/epiphany/cert8.db cert8.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
That just adds the certificate to the user's profile, not to the built-in store that will be used by new profiles/users. I have no way to evaluate the CA's policy and cannot determine whether it's suitable for inclusion. Given that the ones responsible for this on the mozilla side have not yet included this cert, I think epiphany should not include it, too. Personally, I don't think epiphany should get into the 'let's add some CAs' business at all, and just use the builtin NSS set of CAs. However, epiphany should have a way for a site admin to add some CAs to each user profile for site-wide deployments; if you want we can morph this bug into that.
cacert.org is a very special case.
Out of interest, who decides which CA certificates are included in webkit?
WebKit doesn't include certs, it just depends on what the platform libraries do. In 2.28, libsoup, by default, trusts everything. It is likely that in 2.30 this will be changed to be based on gsocket and the as-yet-unwritten gsocket tls code (bug 588189) which will allow using some system CA file. On Fedora at least, the "system CA file" would be /etc/pki/tls/certs/ca-bundle.crt, which is generated from the mozilla sources. So...
I'll take the risk of being flamed and mark this as not GNOME. As Dan mentioned, Epiphany/WebKitGTK+ will trust whatever libsoup trusts, and libsoup trusts in whatever your system trusts, so adding ca-cert.org to the default list sounds like something the distributions will need to handle through or despite Mozilla's default certificates.