[Pkg-openssl-devel] Bug#876403: Bug#876403: Ship ct_log_list.cnf so -ct works

Rob Percival robpercival at google.com
Thu Mar 29 13:34:01 BST 2018 

On Fri, 22 Sep 2017 00:29:38 +0200 Kurt Roeckx <kurt at roeckx.be> wrote:
> On Thu, Sep 21, 2017 at 12:03:19PM -0700, Josh Triplett wrote:
> >
> > Please ship an appropriate /usr/lib/ssl/ct_log_list.cnf .
>
> I think the problem is that there is no such thing as a
> appropriate file. We could do things like what Chrome supports,
> or what other browsers in the future support.
>
> The file probably doesn't support enough options to what we really
> would like to see as a policy, and I think OpenSSL lacks support
> for enforcing such a policy.
>
> I'm not sure that adding such a file currently has any benefit.
>
>
> Kurt

Is it appropriate for Debian to set a CT policy, beyond providing a list of
CT logs? OpenSSL does support arbitrary CT policies
via SSL_CTX_set_ct_validation_callback (
https://www.openssl.org/docs/man1.1.0/ssl/SSL_enable_ct.html), but that
obviously leaves it up to individual applications to decide what their
policy is. You're correct that ct_log_list.cnf doesn't allow for expressing
a default policy that applies to all applications.

The benefit of shipping a CT log list is similar to that of shipping a set
of root certificates. It saves users and applications having to curate and
update this list themselves in order to benefit from Certificate
Transparency. I can appreciate the argument that this is not an
unreasonable burden to place on what is presumably a small set of users and
applications though.

Following what Chrome does seems like a reasonable step, at least for now,
assuming it's not a burden on the Debian OpenSSL team. Is it more
time-consuming than it appears - regularly downloading a file, running a
script to convert it to OpenSSL's format and shipping it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20180329/e653128e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20180329/e653128e/attachment.bin>

More information about the Pkg-openssl-devel mailing list