On Sat, May 30, 2015 at 11:52:02AM +1000, Riley Baird wrote: > > > > > If we can use a Debian-specific CA, we can do cert pinning, since we're > > > > > then assuming we have some control over the client. I was assuming a > > > > > general client where we'd have to play nice with the normal CA roots. > > > > Then we would constantly get complaints from Ubuntu/etc > > > > developers/users about why Debian uses invalid certs, as we did before > > > > Debian moved to mafia certs. Unfortunately I don't think it is > > > > possible to use both mafia CAs and non-mafia CAs without adding say a > > > > lot of non-mafia subdomains, like non-mafia.www.debian.org. > > > If having to manually add a CA annoys the Ubuntu developers that > > > much, then surely they could just include the Debian CA certificate to > > > Ubuntu's default? > > It is my understanding that no, Ubuntu could not, because Ubuntu ships > > firefox; and one of the things that's disallowed by Mozilla when using the > > firefox trademark is extending the set of trusted CAs (for actually rather > > good reason). > I just looked at the Ubuntu ca-certificates package in vivid, and it > ships the SPI certificate: > /usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt Yes, because that's the ca-certificates package from Debian. But the firefox package does not trust those certificates. > Does Firefox in Ubuntu use this certificate, or does it only accept > certificates in /usr/share/ca-certificates/mozilla? Firefox doesn't use any certificates from the ca-certificates package. It uses the CAs that are bundled in the upstream source. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature