Package: ca-certificates Severity: important Hi,
Just to make this public, I believe no new CA should be accepted as long as a proper procedure isn't defined and guaranteed to remain in place (e.g. by automating whatever process is defined.) Reasoning being that with the exception of spi-inc.org, cacert.org, and perhaps debconf.org, all the other CAs that have only been included in Debian have certificates that (one or more may apply): * have expired * are about to expire and nobody has made any attempt to contact us * their CRLs are no longer being updated * there are no traces of the CAs online, not even revocation certs Although we do have a disclaimer, it is irresponsible to allow such CAs in ca- certificates. The only exception should be new CAs added via Mozilla. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
