Ask HN: Safe to Install Government Root Certificate?
To access Spanish government services, I need to install a root certificate.
What are the security implications if any?
"To use your DNIe in your browser you need:
- Install the PKCS#11 Security Module
- Install the Root Certificate of the DNIe Certification Authority"
More info: https://www.dnielectronico.es/PortalDNIe/
20 comments
[ 2.9 ms ] story [ 44.8 ms ] threadThey don't need a root certificate installed on citizen's machines for that...
I would recommend only doing this in a local VM.
Browsers definitely are in a position to additionally restrict their trust to certs in their store to specific hostnames. But there doesn't seem to be any UI except explicit global trust and distrust.
Mitigating this, there are mechanisms to keep track of which certificates are used for which websites, so this could catch them in the act.
However, note that "Root CAs manually added to the trust store override and suppress Expect-CT reports/enforcement."
Since this is the Spanish government, it seems likely they will target Catalonia somehow.
Who decides who is a trustworthy issuer?, and why can’t we, users, modify these lists? (At least on iOS)
Worth noting that there’s an effort underway in the EU to take that decision out of the hands of browsers and mandate inclusions for EU CAs that meet the EU’s QWAC TSP standard, which would presumably include OP’s Spanish govt. CA.
For the inability to modify those lists on iOS, I’m with you: I would want to see the same level of modification ability for mobile platforms that we currently have on desktop OSes, but it’s up to Apple to implement that.
It's issued by the spanish spy agencies rather than NSA - wouldn't you as a patriotic citizen of Spain trust your own intelligence services over foreign ones? ;) This is not a new debate though - when Let's Encrypt was launched some netizens had pointed out that similar setups existed but no one (read BigTech) embraced it till an "American" solution appeared.
[1] - https://www.qubes-os.org/
[2] - https://www.virtualbox.org/
I think they ought to be setting it for usage for client identification only.
If it's for server identification too, I wouldn't trust it.
Most certificate stores will not allow the import of a certificate that has been signed by a trusted root that it doesn't know about. That is why you're required to import that root cert.
As for what features it states that it supports ... That's another matter entirely!