On Mon, 14 Dec 2015 18:45:40 -0600 Michael Shuler <mich...@pbandjelly.org> wrote:
> > As always, let me know if you could use any help. I'm going to > > start looking through the reverse depends for ca-certificates to > > identify packages that might be relying on roots for email > > authentication. > > Exactly. I also do not know if pointing mail-related CAs to another > filesystem location and patching mail-related packages to look there > is sufficient - are there mail clients/utilities that also open https > web urls? It wouldn't be a question of HTTPS connections, but rather TLS connections to IMAP, POP, and SMTP servers, which most MUAs will make. MUAs that implement S/MIME should use separate trust stores for TLS and S/MIME (or have some other way to distinguish between roots) and MUAs that don't are buggy. I would be interested in patching such MUAs, although this would be a long-term effort. Fortunately, there is a simple short-term solution that could be implemented immediately and would provide a security improvement to the majority of Debian users without removing any functionality: ship the email-only roots in a separate package. I suspect that only a small minority of Debian users use S/MIME, whereas a large majority of users use wget, curl, git, etc. with HTTPS, or MUAs with secure SMTP/IMAP/POP (but not S/MIME). The minority can install the S/MIME roots and have the same security and functionality as now, while the majority will benefit from better security. Is this an acceptable solution pending a long-term effort to assess and improve trust store handling in MUAs? Regards, Andrew
