[tbb-dev] Tor Messenger and Certificates

Tom Ritter tom at ritter.vg
Sun Nov 30 00:58:21 UTC 2014 

>> Here is an update about shipping certificates with Tor Messenger:
>>
>> We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this
>> root certificate is also bundled with Debian, we are not worried about
>> this. (We are being transparent in the build system that we are bundling
>> this cert and will be more so in the documentation and public
>> announcement.)
>
> why is that one not in Mozilla's trust store? Do they have documentation
> on how their internal processes wrt to issuing certificates work? Do
> they have audits of that process?

I can't find any indication API ever wanted to be included in
Mozilla's trust store, but I could be wrong.  If
http://www.spi-inc.org/ca/ is all the documentation they have (no
issuance policy documents, no audits, no nothing) they're not going to
make it it in.

>> Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to
>> the question -- should we be bundling the CAcert root certificate? I
>> base this question on the fact that it is not shipped with Debian (or
>> Ubuntu) or Mozilla, and there seems to be a lot of discussion (one
>> example: http://lwn.net/Articles/590879/) about this topic. Should we
>> ship this with Tor Messenger then?
>
> Messing with CAs is always a tricky business. And, personally, I am not
> a strong fan of adding root certificates of organizations that can't
> make sure their processes can handle issuing certificates properly,
> quite the contrary. (Btw. I am not claiming that all the other CAs *can*
> make that sure; that's a separate discussion though)
>
> Instead of adding additional root certificates I'd explore ways of
> getting the necessary certificates installed in the user-friendliest way
> possible when the user is *actually needing* them. (There is no need to
> expose all those users that are neither using OFTC nor jabber.ccc.de to
> the additional risk that comes with shipping these root CAs when using
> Tor Messenger)

I'm opposed to adding root CA certificates (CACert, SPI) until such a
time Tor Browser/Messenger is ready to maintain its own root store.  I
don't think doing that is a bad idea though, and would be interested
in thinking through what it would take as a pie-in-the-sky type
discussion.

But I'm also strongly opposed to requiring users to click through
self-signed or invalid root certificate warnings for extremely popular
services.  So I think services like jabber.ccc.de and OFTC should have
their leaf certs included and trusted by default after confirming
their validity.

-tom

More information about the tbb-dev mailing list