[debian-mysql] Bug#671534: Use case?

Russ Allbery rra at debian.org
Sat May 5 18:51:52 UTC 2012 

Nicholas Bamber <nicholas at periapt.co.uk> writes:

> 	Although in general I am all for standardization, I am not
> actually clear about the use case here.

> 	The typical case to which you refer is a browser-like client
> talking to a webserver-like server using certificates checkable with
> external authorities.

> 	In the MySQL case both client and server must be using MySQL code
> at some level and the certificates are likely to be managed by an
> authority internal to the oganization.

I don't really agree with your last assumption... or at least this isn't
true of us at Stanford.  We use commercial Comodo certificates for
anything internal that isn't just test/dev (and increasingly for that),
since we have a site-license for Comodo certificates and they're free.
There's no reason not to, and using a CA that's already built into various
software makes everything easier.  (This is likely common for US
universities that are part of Internet2, since Internet2 negotiated a
general agreement with Comodo.)

But even apart from that, suppose it is managed by an authority internal
to the organization.  The obvious thing to do with the certificate for
that internal CA on a Debian system is to put it into
/usr/local/share/ca-certificates and then let ca-certificates add it to
all the other trusted CAs.  That way, certificates issued by your internal
CA will transparently work with anything on a Debian system that uses SSL,
not just web browsers.

We use that same /etc/ssl/certs infrastructure for our internal Usenet
server, for the certificates for our LDAP servers, our SMTP servers, and
so forth.  (And indeed for LDAP and SMTP, even if you don't have free
commercial certificates, it's usually a good idea to get commercial
certificates so that you don't have to deal with the CA distribution
hassle.)

Also, it's worth mentioning that anyone can get free trusted certificates
that will be verified by the /etc/ssl/certs infrastructure from
cacert.org.

I suppose the drawback to using /etc/ssl/certs by default is that people
may not want to trust the commercial CA authorities by default, and there
are some reasons to be concerned about that.  But, there, I think the risk
for MySQL in most ways in which it's used is probably lower than for the
web browser, since the MySQL clients are more likely to be on controlled
networks and therefore less likely to be prone to easy man-in-the-middle
attacks.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the pkg-mysql-maint mailing list