JanC | teward: well, I think Mozilla/Microsoft only stopped accepting certificates signed after a certain date, for now? | 00:09 |
---|---|---|
teward | they may have, but since our Firefox isn't up to date (22.04 was juuuuust before the snap switchover for Firefox because all the flavors pushed hard back about a last second switch at final freeze to Snap right before release) I don't think that has been put into the updates | 00:10 |
teward | either way, I have no problem disallowing a CA that's going to be yoinked anyways. | 00:10 |
JanC | oh, I disabled those certs too (not just in ca-certs, but in Firefox too) | 00:15 |
JanC | ideally all OS makers/distributors would agree to remove it so that there can be no excuses :) | 00:23 |
teward | yup | 00:23 |
teward | but also ideally | 00:23 |
JanC | also ideally it would never have been added :) | 00:23 |
teward | all browsers would be allowed to refer to $SYSTEM_CERT_STORE instead of individual keyrings (Firefox, Chrome, Edge, etc. all keep their own even on Linux, while they let Windows versions refer to the system cert store) | 00:23 |
teward | JanC: accurate | 00:24 |
teward | but also my last statement | 00:24 |
teward | (accidentally poked the enter key) | 00:24 |
JanC | is there a system store with all the same features on linux? | 00:25 |
teward | unfortunately no. but you can 'hack' it for a cert trust store by using ca-certificates | 00:25 |
teward | my point being it'd be nice to *not* have to manually adjust 3 separate locations (ca-certs, Firefox, Chrome) and have something capable of editing them all | 00:26 |
JanC | from what I understood, ca-certificates can't express "trust only for certificates signed before N" | 00:26 |
JanC | it should be possible to implement something central like that, of course | 00:26 |
teward | JanC: technically speaking, neither can Firefox or Chrome on their own, without code level changes. but something centralized would be *nice* to have that | 00:26 |
teward | (Windows is unique in that they don't do a ton of RFC-compliant stuff even in their own cert authority systems so) | 00:26 |
teward | (no seriously they aren't RFC compliant even in default templates and stuff xD) | 00:27 |
teward | but i digres | 00:27 |
teward | digress* | 00:27 |
teward | as long as I can make my internal network PKI trusted on everything that's all I care about (private PKI cert chain and stuff) | 00:27 |
JanC | I wonder if you could implement using system certificates in Firefox with a "security device plugin" | 00:32 |
JanC | including system CA certificates? | 00:34 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!