Safe to Install Government Root Certificate?

Question

To access Spanish government services, I need to install a root certificate.What are the security implications if any?"To use your DNIe in your browser you need:- Install the PKCS#11 Security Module- Install the Root Certificate of the DNIe Certification Authority"More info: https://www.dnielectronico.es/PortalDNIe/

im3w1l · Accepted Answer

The security implication is that the government can use it to sign certificates for any website of their choice. This means that they can snoop and/or replace the content.
Mitigating this, there are mechanisms to keep track of which certificates are used for which websites, so this could catch them in the act.
However, note that "Root CAs manually added to the trust store override and suppress Expect-CT reports/enforcement."
Since this is the Spanish government, it seems likely they will target Catalonia somehow.

keikobadthebad · Answer

Browsers seem to lack a way to trust a CA only for specific domains.

LinuxBender · Answer

I do not have the answer to your specific question as I have no inside knowledge of that government. To mitigate potential concerns I would install that cert into a browser that is in a virtual machine. Qubes OS [1] and Virtual Box [2] are a couple free options. Qubes is about a 5GB download. VirtualBox is a much smaller application download but would require a small desktop ISO to boot a VM from. If their site complains you are using a VM then you know something interesting is going on.
[1] - https://www.qubes-os.org/
[2] - https://www.virtualbox.org/

zubiaur · Answer

Related, but why do pre-installed root certificates include certificates issued by governments like, say, Venezuela (Autoridad de Certificacion Raiz del Estado Venezolano)?Who decides who is a trustworthy issuer?, and why can&rsquo;t we, users, modify these lists? (At least on iOS)

webmobdev · Answer

It can be misused by the government to spy on you - https://www.makeuseof.com/tag/what-is-root-certificate/ ... But it's also a valid use case for a government to issue certificates to access their own sites securely.

opless · Answer

It depends on the root certificate usage policy.
I think they ought to be setting it for usage for client identification only.
If it's for server identification too, I wouldn't trust it.
Most certificate stores will not allow the import of a certificate that has been signed by a trusted root that it doesn't know about. That is why you're required to import that root cert.
As for what features it states that it supports ... That's another matter entirely!

hiciu · Answer

Perhaps you can add this CA only to a dedicated browser profile?

2Gkashmiri · Answer

what benefit is this "root certificate" over letsencrypt ? why force users to install certificates? can we define what websites are compatible with a said certificate so a *.gov for example?

giantg2 · Answer

Depends if you trust your government.