BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.devconf.info//devconf-cz-2026//talk//RBK7AN
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-devconf-cz-2026-RBK7AN@pretalx.devconf.info
DTSTART;TZID=CET:20260619T123500
DTEND;TZID=CET:20260619T125000
DESCRIPTION:Linux distributions\, container images\, mobile devices come wi
 th about 150 root certificates from OpenSSL and Mozilla. Do we really know
  who is issuing these certificates? Why do we trust random government bodi
 es from the EU\, US and China? Why does some post office have the same tru
 st that some telecom operator has? In practice\, any one of them can issue
  a certificate for any domain on the internet.\n\nThis talk argues that th
 e default CA trust model is over-permissive and poorly understood. We need
  to look at what is actually inside common CA bundles.\n\nSolution: Review
  your ca-bundles drop anything strange. If you develop an important applic
 ation that must be 100% trustable\, pin the certificate.
DTSTAMP:20260430T125156Z
LOCATION:A113 (capacity 64)
SUMMARY:PKI problem: who we actually trust - Andrey Bondarenko
URL:https://pretalx.devconf.info/devconf-cz-2026/talk/RBK7AN/
END:VEVENT
END:VCALENDAR