Re: X.509 and CA certificates for other purposes (i.e. the IGTF)

[Dennis van Dok <dennisvd@nikhef.nl>]

On 25-05-13 04:04, Christoph Anton Mitterer wrote:
> On Fri, 2013-05-24 at 12:32 +0200, Dennis van Dok wrote:
>> The point I'd like to raise is that the current model of CA
>> certificates seems to take an all-or-nothing approach: either a CA is
>> trusted (for whatever purpose) or not. For the IGTF CAs, this may not
>> be the right approach.
> I don't think that's a good idea for ca-certificates either,... but I
> don't think you can really do anything against it... either the cert is
> installed in /etc/ssl or not... the problem here lies actually with the
> clients, when they don't allow you to specify another store location to
> have more fine grained possibilities...
> 
> Sure there is what Kurt mentions... but I mean that doesn't make things
> really better IMHO, as it only allows to set a few "roles",... not
> something like ejabberd should accept this, but apache should not, or
> does it?

No, I don't think so, the feature is quite limited that way.

> but I think it's very problematic that ca-certificates includes
> extremely untrustworthy CAs like CNNIC...

...which is included in mozilla. That discussion should be taken there
(indeed was[1]) as in Debian it was agreed we're not going to do better
than Mozilla at judging CAs[2].

1.
https://groups.google.com/forum/?fromgroups=#!topic/mozilla.dev.security.policy/F7471-CzPow[1-25-false]

2. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647848


> Anyway... good to see you again into bringing the IGTF bundle to
> Debian :)

Thanks!

In order to move forward, I really need someone to have a look at my
package. I need to know that I'm on the right track.

Cheers,


Dennis

-- 
D.H. van Dok :: Software Engineer :: www.nikhef.nl/grid ::
Phone +31 20 592 22 28 :: http://www.nikhef.nl/~dennisvd/