CA's TLS Certificate Bundle in base = BAD

[Dan Lukes]

On 26.2.2021 2:07, John-Mark Gurney wrote:
>> Third party CA's are an untrusted automagical nightmare of global and
>> local MITM risk...
> 
> Do you delete all the CA's from your browsers then?

Yes, I'm cleaning them from browser, then I'm adding few CA as needed.

Despite of it, I'm not on grarpamp's side.

People are installing FreeBSD system on it's computer - it require a lot 
of trust. Most of users can trust even CA list that's part of FreeBSD 
system.

And those paranoid users like me ? We will check pre-installed CA list 
all the times. We do it now and we will do it even in the future. 
Because we trust no one. So we don't care what's content of file in 
stock install.

So I don't vote for grarpamp's proposal. It will decrease effective 
security of "standard user" and it will not help to the paranoid ones.

But it would be nice to know how it works. What CA are included into 
distributed bundle ? Who is making the final decision ? What rules he is 
obliged to follow ?

It should be documented somewhere.

> Having tried to verify the certificate for a bank when verisign f'd
> up their cert really doesn't work, trust me I've tried it, the
> support has zero clue what you're talking about, and they have no
> process to handle such a question...

My bank have defined process you are speaking of here. I has been IT 
security officer of such bank and I defined process in question. For 
about ten years, there has been one (!) call asking verification of the 
certificate. And it has been call from my friend that has been curious 
to verify if it works ...

Despite of it, it's not the argument related to the topic we are 
speaking of about.  Certificates are just tool. It can be used properly 
or improperly. The proper use of tool depends on goal, so the goal needs 
to be discussed first.

Dan