CaStore and certifi

Question

CaStore and certifi

chulkilee opened this issue 6 years ago · 4 comments

I believe :certifi.cacertfile() is same feature with CAStore.file_path() as both provide local file path for up-to-date mozilla certs by default.

Could someone explain the point of having own castore library, not using :certifi?

Answer 1 · 2019-08-02T05:00:16.000Z

@chulkilee certifi’s certificates come from mkcert.org but the Erlang port switched to cURL’s bundle without warning (see certifi/erlang-certifi@c8e2763#diff-908b453051b556e053731714a5193921). There’s no particular reason to trust mkcert.org either.

Can’t speak for the maintainers but think it boils down to the chain of trust.

I can understand why Mint chose to depend on cURL’s bundle directly. And published separately as CAStore, so others can choose to depend on this chain of trust.

Answer 2 · 2019-08-02T16:49:30.000Z

cURL's bundle is from Mozilla - curl - Extract CA Certs from Mozilla
mint builds cacert with a script from curl, not downloading the curl project's bundle

https://github.com/ericmj/castore/blob/db5ac5917448c0f1220be31cffbdfa7abea8d97a/lib/mix/tasks/certdata.ex#L25

So.. "probably" they end up with same result (not confirmed).

It's unfortunate that Mozilla provide the bundled CA for general purpose and PEM format (probably related: CA/Additional Trust Changes - MozillaWiki) - that's why many projects use curl's bundle.

The converted PEM file only contains the digital signatures for CAs. Several of those CAs have constraints in Firefox (and other browsers) to only be allowed for certain domains and other similar additional conditions. Those constraints are thus not brought along in this cacert file!
curl - Extract CA Certs from Mozilla

I really hope there would be just one library for 1) up-to-date ca bundle and 2) optionally way to update it securely.

It would be really nice if mozilla provides API to give general-purpose versioned CA bundle with checksum or gpg signature - so that we don't need to trust the curl project's distribution.

Answer 3 · 2019-08-03T03:54:35.000Z

@chulkilee Yes, I’m aware both projects source from cURL. I’ve even checked that both bundles are currently identical.

I’m saying they have different chains of trust. When you use certifi, you trust benoitc too. He changed bundles without warning, will he do that again? When asked, he doesn’t respond. I’ve also wrestled with many breaking changes in hackney so that colours my opinion.

As for bundle updates, compare certifi’s commit history with CAStore’s commit history. CAStore tracks cURL revisions closely.

Finally if you want one library, I support the one by Elixir/Phoenix/Ecto core team members with proven track records.

Answer 4 · 2019-08-21T17:29:19.000Z

We need to control the library that we tell our users to trust for the certificates. We also need to control versioning and the release process. Thanks for the issue! 💟