Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CaStore and certifi #10

Closed
chulkilee opened this issue May 26, 2019 · 4 comments
Closed

CaStore and certifi #10

chulkilee opened this issue May 26, 2019 · 4 comments

Comments

@chulkilee
Copy link
Contributor

I believe :certifi.cacertfile() is same feature with CAStore.file_path() as both provide local file path for up-to-date mozilla certs by default.

Could someone explain the point of having own castore library, not using :certifi?
@jayjun
Copy link

jayjun commented Aug 2, 2019

@chulkilee certifi’s certificates come from mkcert.org but the Erlang port switched to cURL’s bundle without warning (see certifi/erlang-certifi@c8e2763#diff-908b453051b556e053731714a5193921). There’s no particular reason to trust mkcert.org either.

Can’t speak for the maintainers but think it boils down to the chain of trust.

I can understand why Mint chose to depend on cURL’s bundle directly. And published separately as CAStore, so others can choose to depend on this chain of trust.

@chulkilee
Copy link
Contributor Author

https://github.com/ericmj/castore/blob/db5ac5917448c0f1220be31cffbdfa7abea8d97a/lib/mix/tasks/certdata.ex#L25

So.. "probably" they end up with same result (not confirmed).

It's unfortunate that Mozilla provide the bundled CA for general purpose and PEM format (probably related: CA/Additional Trust Changes - MozillaWiki) - that's why many projects use curl's bundle.

The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file!
curl - Extract CA Certs from Mozilla

I really hope there would be just one library for 1) up-to-date ca bundle and 2) optionally way to update it securely.

It would be really nice if mozilla provides API to give general-purpose versioned CA bundle with checksum or gpg signature - so that we don't need to trust the curl project's distribution.

@jayjun
Copy link

jayjun commented Aug 3, 2019

@chulkilee Yes, I’m aware both projects source from cURL. I’ve even checked that both bundles are currently identical.

I’m saying they have different chains of trust. When you use certifi, you trust benoitc too. He changed bundles without warning, will he do that again? When asked, he doesn’t respond. I’ve also wrestled with many breaking changes in hackney so that colours my opinion.

As for bundle updates, compare certifi’s commit history with CAStore’s commit history. CAStore tracks cURL revisions closely.

Finally if you want one library, I support the one by Elixir/Phoenix/Ecto core team members with proven track records.

@whatyouhide
Copy link
Contributor

We need to control the library that we tell our users to trust for the certificates. We also need to control versioning and the release process. Thanks for the issue! 💟

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chulkilee @whatyouhide @jayjun