id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,fix_version,see_also 1389,Remove MIT CA from global trust store,geofft,,"It's been more than a year since mitcert started issuing certs via !InCommon/Internet2 (an intermediate via the well-known !AddTrust root), instead of via the MIT CA. I ''believe'' this means that all MIT CA-signed certs are now expired, although I haven't checked. If this is the case, we no longer need to ship the MIT CA and configure it in the system trust store. Chrome / Chromium now has a [https://www.imperialviolet.org/2011/05/04/pinning.html certificate authority pinning feature], where several high-risk sites (Google, Twitter, Tor, [https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json etc.]) are restricted in which CAs are allowed to sign them. As that article points out, any locally-configured CAs are also permitted, since Chrome can't distinguish private CAs like MIT's from semi-legitimate SSL MITM proxies. This effectively means that the MIT CA is permitted to MITM these high-traffic sites, meaning that including the MIT CA is a security risk (it could get stolen or otherwise misused) for zero security benefit (if there are no unexpired MIT CA-signed certs).",defect,closed,high,Summer 2014,--,fixed,,,debathena-ssl-certificates 1.6-0debathena2,