On 04.07.2018 18:37, Alice Wonder wrote: > On 07/04/2018 08:54 AM, Walter H. wrote: >> Hello, >> >> the RPM >> >> ca-certificates-2018.2.22-65.1.el6.noarch >> >> has a big problem ... >> many certificates were removed - my proxy uses this as source and isn't >> able to validate correct any more - >> most sites show this: >> >> /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) >> >> /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust >> External TTP Network/CN=AddTrust External CA Root >> >> Self-signed SSL Certificate in chain: /C=US/O=DigiCert >> Inc/OU=www.digicert.com/CN=DigiCert Global Root CA >> >> and many other Root certificates are missing ... >> > > Not sure why they were removed but in the past, root certificates are > removed due to problems with the certificate authorities that mean > their signatures no longer mean the sites are who they say there. > > That's the problem with PKI. When you can't trust the root, you can't > sign any certificate down the chain from the root. > > Unfortunately DANE is not yet supported by browsers. DANE is not a solution, it is another problem ... > > But anyway, does the changelog indicate why the certs were removed? where can I find the changelog? > > It may be a good thing - protecting you from potential MITM when you > otherwise would have the assumption that the site is valid because it > has a cert. depends ... this https://cdn.pbrd.co/images/Hs5VL82.png is not the cause of SSL everywhere, it is the answer of SSL everywhere ... > > I know digicert specifically has had problems before resulting in > fraudulent certificates being issued. this had been in the past ..., not relevant to present time ... > > Hopefully the industry can move to DANE and make blind trust a thing > of the past. before DANE, DNSSEC as a requirement has to be deployed ...
