Re: X.509 and CA certificates for other purposes (i.e. the IGTF)

To: Dennis van Dok <dennisvd@nikhef.nl>
Cc: debian-devel@lists.debian.org
Subject: Re: X.509 and CA certificates for other purposes (i.e. the IGTF)
From: Kurt Roeckx <kurt@roeckx.be>
Date: Fri, 24 May 2013 19:18:33 +0200
Message-id: <[🔎] 20130524171833.GA14449@roeckx.be>
In-reply-to: <[🔎] 519F41BD.10108@nikhef.nl>
References: <[🔎] 519F41BD.10108@nikhef.nl>

On Fri, May 24, 2013 at 12:32:29PM +0200, Dennis van Dok wrote:
> The point I'd like to raise is that the current model of CA
> certificates seems to take an all-or-nothing approach: either a CA is
> trusted (for whatever purpose) or not. For the IGTF CAs, this may not
> be the right approach.

One of the things I would like to see is that trust settings are
part of a systemwide store.  This means that you can say you trust
a CA for clients, servers, email, codesigning, ...

Certificated in ca-certificates mostly come from mozilla, and they
already have such trust settings.  However they're lost when
imported in ca-certificates, so applications ussing the
certificates from ca-certificates can't check that.

Openssl can add such trust settings (see x509(1ssl), section
TRUST SETTINGS).  However it changes the format of the PEM
file, and gcrypt can't read this.

Kurt

Reply to:

Follow-Ups:
- Re: X.509 and CA certificates for other purposes (i.e. the IGTF)
  - From: Dennis van Dok <dennisvd@nikhef.nl>

References:
- X.509 and CA certificates for other purposes (i.e. the IGTF)
  - From: Dennis van Dok <dennisvd@nikhef.nl>

Prev by Date: Re: using upstart in Debian [was, Re: Debian systemd survey]
Next by Date: Re: "Blacklists" in BTS (stopping the trolls and bug machines)
Previous by thread: X.509 and CA certificates for other purposes (i.e. the IGTF)
Next by thread: Re: X.509 and CA certificates for other purposes (i.e. the IGTF)
Index(es):
- Date
- Thread