What is Nostr?
Mike Hearn [ARCHIVE] /
npub17ty…qgyd
2023-06-07 15:28:43
in reply to nevent1q…flcj

Mike Hearn [ARCHIVE] on Nostr: 📅 Original date posted:2015-01-28 📝 Original message:> > I'm frankly ...

📅 Original date posted:2015-01-28
📝 Original message:>
> I'm frankly _horrified_ to learn that BitcoinJ ships its own root CA
> certificates bundle. This means that, if a root CA gets breached and a
> certificate gets revoked, all BitcoinJ-using software will be vulnerable
> until BitcoinJ ships an update *and* the software in question pulls in the
> new BitcoinJ update and releases its own update. That might never happen.


If your wallet is unmaintained, you have other problems beyond (extremely
rare) root CA revocations.

As far as I know the only time a CA in wide usage has been revoked entirely
is DigiNotar.

One advantage of doing it this way is if, for example, a widely used piece
of community infrastructure (e.g. bitcointalk, reddit, whatever) decides to
become a CA, the Bitcoin community can decide to have different inclusion
rules vs the OS/browser root CA programs. For example we'd probably relax
the constraint to use an HSM and just ensure that the rendering of the
asserted identity isn't confusible with other kinds of more strongly
protected identities. For example no forum usernames like "foo.com" but
rendering it in the UI as "Reddit forum user foo.com" would be OK.

Also you don't get problems due to old operating systems not including new
certs.

Finally, Linux doesn't have any kind of standardised cert/keystore API.
There are a few places where popular distros put certs but AFAIK they
aren't standardised and there's no standard code to load them. So that's
another reason why there's a built in store.

But yes, this is a debatable topic on which reasonable people can disagree.
The API makes it easy to use the platform OS store for wallet devs that
want to do that, and I think using the platform store on Android is the
default. It's only on the desktop where we fall back to a different store.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150128/bdcd16f5/attachment.html>;
Author Public Key
npub17ty4mumkv43w8wtt0xsz2jypck0gvw0j8xrcg6tpea25z2nh7meqf4qgyd