Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631650

Summary: app-misc/ca-certificates: PSPProcert root store trust
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: AuditingAssignee: Gentoo Security Audit Team <security-audit>
Status: RESOLVED OBSOLETE    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://wiki.mozilla.org/CA:PROCERT_Issues
Whiteboard:
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-21 16:34:01 UTC 
The Mozilla Root Store has published the following decision in the case of PROCERT, included in app-misc/ca-certificates as PSCProcert.pem

It seems like it will be a straight removal upstream, so we need to keep track of its removal either in new version or through direct measures.
##

The CA Certificates module owner and peers have come to a decision
regarding our investigations into the activities of the CA "PROCERT".

A large number of issues were raised regarding the operations and
practices of this CA:
https://wiki.mozilla.org/CA:PROCERT_Issues

Considering them, it seems clear to us that PROCERT have not been, and
continue not to be, adequately aware of the requirements placed upon
them by various RFCs, the CA/Browser Forum's Baseline Requirements, and
Mozilla Root Store Policy. They have not demonstrated sufficient control
of their issuance pipeline or sufficient checking of the results to
avoid regularly creating certificates which violate the requirements of
one or more of those documents. PROCERT have also made assurances to us,
via responses to CA Communications, that certain things were true which
are manifestly not so (e.g. that they were using properly-randomized
serial numbers).

In addition, PROCERT's response to these issues was inadequate. While
they revoked (most, but not all, of) the certificates which were flagged
as problematic, their written responses have been limited in number and
are very superficial. In some cases, it is clear that they have not
understood the issue that was raised. They have not, to our knowledge,
performed any root cause analysis which might allow us to have some
confidence that problems of this or a similar nature will not recur. We
have very little insight into their systems and what, if any, safeguards
they have in place.

It seems that PROCERT's belief is that revocation is an adequate remedy
for all of the problems listed. We disagree. Therefore, we feel we can
no longer trust PROCERT, and plan to proceed with removing their
"PSPProcert" certificate from our root program and root store.

Kathleen Wilson
Gervase Markham
Ryan Sleevi
Comment 1 Hanno Böck gentoo-dev 2021-10-01 12:55:02 UTC 
This is obsolete, as it has been resolved by updating ca-certificates in the meantime.