On Fri, 2013-05-24 at 12:32 +0200, Dennis van Dok wrote: > The point I'd like to raise is that the current model of CA > certificates seems to take an all-or-nothing approach: either a CA is > trusted (for whatever purpose) or not. For the IGTF CAs, this may not > be the right approach. I don't think that's a good idea for ca-certificates either,... but I don't think you can really do anything against it... either the cert is installed in /etc/ssl or not... the problem here lies actually with the clients, when they don't allow you to specify another store location to have more fine grained possibilities... Sure there is what Kurt mentions... but I mean that doesn't make things really better IMHO, as it only allows to set a few "roles",... not something like ejabberd should accept this, but apache should not, or does it? but I think it's very problematic that ca-certificates includes extremely untrustworthy CAs like CNNIC... Anyway... good to see you again into bringing the IGTF bundle to Debian :) Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature