Hi, On Tue, Nov 22, 2016 at 06:01:09PM +0000, Simon McVittie wrote: > On Tue, 22 Nov 2016 at 17:48:44 +0000, Iain R. Learmonth wrote: > > The root certificate has constraints > > that it can only be used to sign domains ending with .dn42 > > Does this package insert the dn42 CA into the system-wide default CA > store? > > (If it does, then I think it would be necessary to tread *very* > carefully.) > > Do all TLS libraries available in Debian respect those constraints?
Like the ca-cacert package, the certificate is only inserted into the system-wide CA store by deliberate action from the system administrator. They need to run dpkg-reconfigure ca-certificates and enable dn42/root-ca.crt otherwise the cert will be present but not included in that store. OpenSSL and gnutls both honor the constraints, gnutls overly honors them and fails to validate the root cert due to a bug, but this fails safely, not dangerously, and doesn't prevent normal usage of the cert. Thanks, Iain.
signature.asc
Description: PGP signature
