On 25-05-13 04:04, Christoph Anton Mitterer wrote: > On Fri, 2013-05-24 at 12:32 +0200, Dennis van Dok wrote: >> The point I'd like to raise is that the current model of CA >> certificates seems to take an all-or-nothing approach: either a CA is >> trusted (for whatever purpose) or not. For the IGTF CAs, this may not >> be the right approach. > I don't think that's a good idea for ca-certificates either,... but I > don't think you can really do anything against it... either the cert is > installed in /etc/ssl or not... the problem here lies actually with the > clients, when they don't allow you to specify another store location to > have more fine grained possibilities... > > Sure there is what Kurt mentions... but I mean that doesn't make things > really better IMHO, as it only allows to set a few "roles",... not > something like ejabberd should accept this, but apache should not, or > does it?
No, I don't think so, the feature is quite limited that way. > but I think it's very problematic that ca-certificates includes > extremely untrustworthy CAs like CNNIC... ...which is included in mozilla. That discussion should be taken there (indeed was[1]) as in Debian it was agreed we're not going to do better than Mozilla at judging CAs[2]. 1. https://groups.google.com/forum/?fromgroups=#!topic/mozilla.dev.security.policy/F7471-CzPow[1-25-false] 2. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647848 > Anyway... good to see you again into bringing the IGTF bundle to > Debian :) Thanks! In order to move forward, I really need someone to have a look at my package. I need to know that I'm on the right track. Cheers, Dennis -- D.H. van Dok :: Software Engineer :: www.nikhef.nl/grid :: Phone +31 20 592 22 28 :: http://www.nikhef.nl/~dennisvd/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51a5d63e.2090...@nikhef.nl
