📅 Original date posted:2015-01-28
📝 Original message:On Wednesday, 28 January 2015, at 5:19 pm, Giuseppe Mazzotta wrote:
> On 28-01-15 16:42, Mike Hearn wrote:
> > Just as a reminder, there is no obligation to use the OS root
> > store. You can (and quite possibly should) take a snapshot of the
> > Mozilla/Apple/MSFT etc stores and load it in your app. We do this
> > in bitcoinj by default to avoid cases where BIP70 requests work on
> > some platforms and not others, although the developer can easily
> > override this and use the OS root store instead.
> >
> Except that Mozilla/Apple/MSFT will update these certificate stores -
> second their policies - and your snapshot/collection might get
> outdated at a different pace than the OS-provided certificates,
> depending on how you (or the package maintainer) are rolling out updates.
I'm frankly _horrified_ to learn that BitcoinJ ships its own root CA certificates bundle. This means that, if a root CA gets breached and a certificate gets revoked, all BitcoinJ-using software will be vulnerable until BitcoinJ ships an update *and* the software in question pulls in the new BitcoinJ update and releases its own update. That might never happen.
Matt Whitlock [ARCHIVE] /
npub17q…upwet
2023-06-07 15:28:43
in reply to nevent1q…upl7
Author Public Key
npub17qxssk9sj2r7jswvh3y32e7vwz7mcckhz33gk9nurdmw0lhsfkgswupwetPublished at
2023-06-07 15:28:43Event JSON
{
"id": "2de1abbe667d5165c554d675308c5918e45c8ef23ba71f26383f46daa94483f4",
"pubkey": "f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91",
"created_at": 1686151723,
"kind": 1,
"tags": [
[
"e",
"e1f7de9a3cc96853dcc43455df7f54523449e553ee4cde336d6870fe0e40792d",
"",
"root"
],
[
"e",
"39a4b1465e064baa3b2e96d3cd8777f917e357f13a251a21efedc7e7b3b3af96",
"",
"reply"
],
[
"p",
"6f65f5cf24f121764b6253c6024a8ae75ae30251c857379ca42385287456fc6a"
]
],
"content": "📅 Original date posted:2015-01-28\n📝 Original message:On Wednesday, 28 January 2015, at 5:19 pm, Giuseppe Mazzotta wrote:\n\u003e On 28-01-15 16:42, Mike Hearn wrote:\n\u003e \u003e Just as a reminder, there is no obligation to use the OS root\n\u003e \u003e store. You can (and quite possibly should) take a snapshot of the\n\u003e \u003e Mozilla/Apple/MSFT etc stores and load it in your app. We do this\n\u003e \u003e in bitcoinj by default to avoid cases where BIP70 requests work on\n\u003e \u003e some platforms and not others, although the developer can easily\n\u003e \u003e override this and use the OS root store instead.\n\u003e \u003e\n\u003e Except that Mozilla/Apple/MSFT will update these certificate stores -\n\u003e second their policies - and your snapshot/collection might get\n\u003e outdated at a different pace than the OS-provided certificates,\n\u003e depending on how you (or the package maintainer) are rolling out updates.\n\nI'm frankly _horrified_ to learn that BitcoinJ ships its own root CA certificates bundle. This means that, if a root CA gets breached and a certificate gets revoked, all BitcoinJ-using software will be vulnerable until BitcoinJ ships an update *and* the software in question pulls in the new BitcoinJ update and releases its own update. That might never happen.",
"sig": "347b4a35919bc952e0cfaf1907e0225ec0bda6d552fe10119f719d194083ea1c56596b0bdf229ec6201fdc341a8e9c3a94fdf441ad75d2bbe68a36a19120b893"
}