[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Adding CA certficates outside of ca-certificates (see ITP #666229)



Hi Dennis,

On Mon, April 16, 2012 15:44, Dennis van Dok wrote:
> I would like to include the CA distribution of the IGTF
> (www.igtf.net), which is an international collaboration of CAs for use
> in the e-science communities (i.e. scientific grid computing & cloud
> computing).

> http://mentors.debian.net/package/igtf-policy-bundle

You're probably aware that there's already an APT-compatible repository
that contains Debian packages for the current IGTF distribution?
https://dist.eugridpma.info/distribution/igtf/current/

How does this package relate to that? What goal do you want to reach by
uploading to Debian proper? In the IGTF community it's more or less
expected that relying parties update their trust anchors not too long
after new IGTF updates are released - if a relying party uses packages
from Debian (old)stable they can easily be two or three years old and are
not easily updated. I'm not sure if newly accredited CA's would be
enthusiastic to wait that long, for example.

> The policy bundle offers a choice of opt-in or opt-out, so it's easy
> to enable 'all but a few' or 'none but a few' certificates. And
> enabling here means placing symlinks in
> /etc/grid-security/certificates, which is the de facto place for grid
> middleware to look for certificates.

I think that makes sense: placing or linking them in
/etc/grid-security/certificates/ 'enables' them from a grid middleware
point of view. As I understand it, you're not doing anything with /etc/ssl
or ca-certificates.crt. This means that the certificates will not change
the trust anchors for 'regular' tools on the system (curl, system daemons,
etc).

I'm unfortunately not at the upcoming EUgridPMA meeting in Karlsruhe this
May, but perhaps there's another opportunity where we can meet to discuss
the ideas and specifics.


Cheers,
Thijs


Reply to: