Bug 1259449
| Summary: | Include the CA certificate for *.access.redhat.com in ca-certificates | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Keith Robertson <kroberts> | ||||||
| Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 7.2 | CC: | jmoran | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | All | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-09-02 16:46:01 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1259456 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Keith Robertson
2015-09-02 15:45:46 UTC
Created attachment 1069493 [details]
api.access.redhat.com cert
Created attachment 1069494 [details]
cert-api.access.redhat.com cert
This BZ should be implemented in conjunction with BZ1259456 After talking to Kai, putting the *.redhat.com CAs in ca-certificates isn't a good idea as it is intended to be a global repository. I'm going to close this BZ. === Hi Keith, I saw you have filed https://bugzilla.redhat.com/show_bug.cgi?id=1259449 which requests to add our own CA to the systemwide list of trusted CA certificates. This is the first time I see such a request. I believe that in the past certificfates from global CAs have been used for certificates for our corporate websites. Can you please tell me, who has discussed and decided that this strategy should be used? In my opinion, we should avoid including a CA that could be used to issue certificates for any website. If you really need to include a CA, because you must issue your own certificates to access corporate websites, you should be aware of the following: Only users of our operating system will be able to connect to our site directly. Everyone else will see security warnings in their browser, that our site isn't trusted. If you are aware of that, and would like to use this approach (own CA) anyway, then I would like to request that we add constrain that CA. It is possible to add a domain name constraints extension to a root CA certificate, which limits for which domains certificates can be issued. Given the potential of abuse of a CA certificate, it would give our customers the guarantee that we intend to use the CA we're adding only for our own sites, not for anything else. Please let me know what you think, I'm interested to hear about your motiviations for that request, and if you're OK with the constraint that I'm suggesting. (On a side note, I couldn't download your attachments from the bug, it seems you have attached HTML documents, not certificates?) Thanks and Regards |