From: simon@josefsson.org   
      
   Package: ca-certificates   
   Version: 20250419   
   Severity: wishlist   
      
   Quoting a recent security update for 'ca-certificates':   
      
   > Mozilla certificate authority bundle was updated to version 2.60   
   > The following certificate authorities were added (+):   
   >     + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"   
   >     + "ANF Secure Server Root CA"   
   >     + "Autoridad de Certificacion Firmaprofesional CIF A62634068"   
   >     + "Certainly Root E1"   
   >     + "Certainly Root R1"   
   >     + "Certum EC-384 CA"   
   >     + "Certum Trusted Root CA"   
   >     + "D-TRUST BR Root CA 1 2020"   
   >     + "D-TRUST EV Root CA 1 2020"   
   >     + "DigiCert TLS ECC P384 Root G5"   
   >     + "DigiCert TLS RSA4096 Root G5"   
   >     + "E-Tugra Global Root CA ECC v3"   
   >     + "E-Tugra Global Root CA RSA v3"   
   >     + "GlobalSign Root R46"   
   >     + "GlobalSign Root E46"   
   >     + "GLOBALTRUST 2020"   
   >     + "HARICA TLS ECC Root CA 2021"   
   >     + "HARICA TLS RSA Root CA 2021"   
   >     + "HiPKI Root CA - G1"   
   >     + "ISRG Root X2"   
   >     + "Security Communication ECC RootCA1"   
   >     + "Security Communication RootCA3"   
   >     + "Telia Root CA v2"   
   >     + "TunTrust Root CA"   
   >     + "vTrus ECC Root CA"   
   >     + "vTrus Root CA"   
      
   Not thinking of any of those CAs specifically, but generally, I wonder   
   if Debian's users are served by having all of the WebPKI CAs enabled by   
   default.   
      
   Including any public CA certificate is definitely useful, for users to   
   be able to find necessary trust-points in a simple manner.   
      
   However enabling them all by default, which allow any of the CAs to   
   successfully MITM your TLS connections for any application using the   
   bundles, (should) trigger some additional concerns and review.   
      
   Right now there doesn't seem to be any distinction between the two cases   
   above, and the Debian criteria looks effectively like accept-all.   
      
   By "enabling" I mean including them in the global   
   /etc/ssl/certs/ca-certificates.crt bundle.   
      
   Could Debian establish a set of criteria for which CAs to enable by   
   default?   
      
   One simple criteria could be that the CA supports Certificate   
   Transparency and offer a public log of all their issued certificates, so   
   that people can audit the CA and look for issued MITM certs like   
   *.google.com or similar.   
      
   We shouldn't cause user TLS certification errors needlessly as a   
   consequence of a change like this.  I suspect that the majority of   
   end-entity certs would be covered by the well-known CAs that has   
   supported Certificate Transparency for many years.  Doing experiments   
   with which CAs are important to enable by default could be done.   
      
   Thoughts?   
      
   /Simon   
      
   -----BEGIN PGP SIGNATURE-----   
      
   iQNoBAEWCgMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmmZ6psUHHNpbW9uQGpv   
   c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f   
   V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z   
   ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh   
   BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA   
   /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx   
   +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx   
   I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0   
   +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R   
   cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE   
   8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J   
   ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6   
   qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB   
   BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA   
   JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF   
   PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh   
   is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFog8lAQD25Lr27R5L   
   2uCh1GOHkELKl6jbRHmnTwFD+VGqS4uNiwD8CtaEvHjHbjznnxtz07R/YoTpN3tl   
   EnzVoRhdGCgPxQM=   
   =jYXK   
   -----END PGP SIGNATURE-----   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)