commit: 3ef4adaf4bbd23d345723e443e5352918f1f0688
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Sun, 7 May 2017 02:05:40 +0200
Initial Commit
Diffstat:
4 files changed, 115 insertions(+), 0 deletions(-)
diff --git a/CertificatesAutorities.md b/CertificatesAutorities.md
@@ -0,0 +1,46 @@
+## CACert.org
+-recomendations: Medium
+ - SHA1 Fingerprint
+ - no ECC certificates
+-signed: 1024D OpenPGP on SHA1 fingerprint
+-verification:
+ - domains aren’t checked for modifications (verifies only once)
+ - uses hardcoded/whois’ed emails… not so secure (let’s register every {admin,root,webmaster}@host with public registeration)
+
+## immerda.ch
+-note: There is something about Let’s Encrypt on the website, I hope they keep their CA until Let’s Encrypt is more trustable
+-recomendations: OK
+-signed: OpenPGP on root
+-verification: unknow
+
+## sks-keyservers.net
+-recomendations: OK
+-signed: OpenPGP on root
+-verification: OK(only for keyservers)
+
+## hackint.org
+-signed: OpenPGP on root
+-recomendations: OK
+-verification: OK(only for hackint.org)
+
+## LetsEncrypt.org
+-note: is probably too big[1], legalities are horrible (but you don’t actually accept them knownfully)
+-recomendations: OK
+-signed: No
+-verification: OK(ACME)
+
+## IdenTrust.com
+-note: Cross-sign of LetsEncrypt.org
+-recomendations:
+ - SHA1 Fingerprint
+-signed: No
+-verification: unknow
+
+## Symantec.com
+-recomendations:
+ - SHA1 Fingerprint
+-signed: Fingerprint but SHA1
+-verification: unknow
+
+---
+1: owners/crackers/governments will do shit on it
diff --git a/README.md b/README.md
@@ -0,0 +1,13 @@
+# CA certificates
+Notes:
+* CAs are deprecated (for me), we should use alternatives (DANE is good, maybe a TLS-side HPKP, DNSSEC should be replaced with DNSCrypt or equivalent). So this is only for like… backward compatibility but still staying secure.
+
+## Rules
+- CA root file MUST be OpenPGP signed or equivalent
+- Certification Autorities SHOULD verify owning of the address/domain and MUST NOT create know fake certificates
+- SHOULD follow latest recomendations/rules of cryptography (RFC, parts of : NSA, NIST, ANSSI)
+
+## Dependencies
+* POSIX system
+* Internet (downloading CA root certificates)
+* OpenPGP
diff --git a/make.sh b/make.sh
@@ -0,0 +1,56 @@
+GET="wget -c --no-check-certificate"
+OPGP="gpg --auto-key-retrieve --verify"
+SRC_URI="https://hackint.org/crt/rootca.crt
+https://sks-keyservers.net/sks-keyservers.netCA.pem
+https://sks-keyservers.net/sks-keyservers.netCA.pem.asc
+https://www.immerda.ch/assets/certs/immer-ca.crt
+https://www.immerda.ch/assets/certs/immer-ca.crt.asc"
+
+VERIFICATIONS="openpgp-direct openpgp-fingerprint"
+
+openpgp-direct() {
+ for i in *.asc; do $OPGP ${i} || exit; done
+}
+openpgp-fingerprint() {
+ echo 'Not yet done, anyway cacert.org uses broken crypto for this verification'
+ exit
+}
+
+clean() {
+ set -x
+ rm -fr src/* ca-certificates.pem
+}
+
+install() {
+ echo 'I don’t know how to install… there is no standard on that'
+ echo " * OpenSSL/LibreSSL: put ca-certificates.pem or src/*.pem in /usr/local/share/ca-certificates and do update-ca-certificates"
+ echo " * GnuPG: “hkp-cacert $(pwd)/src/sks-keyservers.netCA.pem” in ${GNUPGHOME:-$HOME/.gnupg}/dirmngr.conf"
+ echo " * Mono (import): mozroot --import $(pwd)/ca-certificates.pem"
+ echo " * Mono (replace): mozroot --sync --file $(pwd)/ca-certificates.pem"
+}
+
+main() {
+ set -x
+
+ mkdir src; cd src
+
+ for i in $SRC_URI; do $GET ${i}; done
+ wget -O rootca.crt.asc https://hackint.org/crt/sigs/combined.asc
+ for i in $VERIFICATIONS; do ${i}; done
+
+ cd ..
+
+ cat src/*.crt src/*.pem > ca-certificates.pem
+}
+
+case "$1" in
+ clean*)
+ clean
+ ;;
+ install*)
+ install
+ ;;
+ all*|*)
+ main
+ ;;
+esac
diff --git a/src/.keep b/src/.keep