On Mon, Apr 02, 2012 at 12:54:59PM -0700, Russ Allbery wrote: > Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > > > There are (at least) two classes of "local certs" -- this is the core of > > all of this confusion. > > > > 0) there are certificate authority certs that the admin wants to rely > > on for certification. > > > > 1) there are certs used to identify TLS-capable services on the machine > > > > 2) (additionally, there are potentially intermediate certificates that > > chain back from the certs in class 1 -- these are needed for regular > > operation if certs in class 1 was not issued directly by a root authority). > > > But (AFAIK) there aren't any well-documented/clear/commonly-held > > standards for where certs in classes 1 and 2 should be placed. > > > I think it would ease administration (and make it easier for various > > debian-knowledgable admins to help each other) if there was such a > > standard. > > You definitely want class 0 and class 2 certs hashed into the same > directory under nearly all circumstances that don't involve being very > paranoid about the CAs that you accept, since that allows the OpenSSL > CAdir directive to work properly and is WAY easier to maintain. > > It is often nice to have class 1 certs in the same location for the same > reason, although not quite as important.
What about certificate used for wpasupplicant using WPA-EAP/TTLS ? Where should I put them ? Cheers, -- Bill. <ballo...@debian.org> Imagine a large red swirl here. -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120402202346.GB18895@yellowpig
