[CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic

Wed Jul 4 17:03:19 UTC 2018
Walter H. <Walter.H at mathemainzel.info>

On 04.07.2018 18:37, Alice Wonder wrote:
> On 07/04/2018 08:54 AM, Walter H. wrote:
>> Hello,
>> the RPM
>> ca-certificates-2018.2.22-65.1.el6.noarch
>> has a big problem ...
>> many certificates were removed - my proxy uses this as source and isn't
>> able to validate correct any more -
>> most sites show this:
>> /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
>> /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust
>> External TTP Network/CN=AddTrust External CA Root
>> Self-signed SSL Certificate in chain: /C=US/O=DigiCert
>> Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>> and many other Root certificates are missing ...
> Not sure why they were removed but in the past, root certificates are 
> removed due to problems with the certificate authorities that mean 
> their signatures no longer mean the sites are who they say there.
> That's the problem with PKI. When you can't trust the root, you can't 
> sign any certificate down the chain from the root.
> Unfortunately DANE is not yet supported by browsers.
DANE is not  a solution, it is another problem ...
> But anyway, does the changelog indicate why the certs were removed?
where can I find the changelog?
> It may be a good thing - protecting you from potential MITM when you 
> otherwise would have the assumption that the site is valid because it 
> has a cert.
depends ...

is not the cause of SSL everywhere, it is the answer of SSL everywhere ...
> I know digicert specifically has had problems before resulting in 
> fraudulent certificates being issued.
this had been in the past ..., not relevant to present time ...
> Hopefully the industry can move to DANE and make blind trust a thing 
> of the past.
before DANE, DNSSEC as a requirement has to be deployed ...