Re: should ca-certificates certdata.txt synchronize across all suites?

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: Philipp Kern <pkern@debian.org>, Guido Günther <agx@sigxcpu.org>, Michael Shuler <michael@pbandjelly.org>, Paul Wise <pabs@debian.org>, ca-certificates@packages.debian.org, debian-lts@lists.debian.org, 858539@bugs.debian.org, 867461@bugs.debian.org
Subject: Re: should ca-certificates certdata.txt synchronize across all suites?
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sat, 22 Jul 2017 11:43:07 +0200
Message-id: <[🔎] 20170722094307.m3tx5tv2254tqwae@roeckx.be>
In-reply-to: <[🔎] 87eft9qzz8.fsf@curie.anarc.at>
References: <[🔎] 87y3s1phqk.fsf@curie.anarc.at> <[🔎] 76bd0565-304c-cc60-c38c-af1a725b2143@debian.org> <[🔎] 20170707140251.igywdem62hjuuu4y@bogon.m.sigxcpu.org> <[🔎] 87bmoiyhpq.fsf@curie.anarc.at> <[🔎] f6049c87-eb0a-899e-38b4-8a23442623da@debian.org> <[🔎] 87o9sdrj7y.fsf@curie.anarc.at> <[🔎] 56aff1bee06b57535fd35f9789f11fe1@mail.kern.pm> <[🔎] 87eft9qzz8.fsf@curie.anarc.at>

On Fri, Jul 21, 2017 at 04:47:23PM -0400, Antoine Beaupré wrote:
> On 2017-07-21 22:19:20, Philipp Kern wrote:
> > My point was that you state what your delta is and essentially boils 
> > down to attach the diff of what will actually happen to the .deb. I 
> > think it's generally fine to add new CAs and remove fully distrusted 
> > ones, instead of saying "it should just be in sync with unstable". The 
> > latter contains a lot more nuance if you know that some of the rules are 
> > only available in code.
> 
> Thank you for taking the time to clarify your position, I understand it
> much better now. :)
> 
> Makes perfect sense, I'll try to be clearer in future communications to
> avoid such confusion.

Mozilla has various extra distrust/partial trust rules that are now
coded in either NSS or Firefox itself. But we're not even using the
distrust/partial trust information currently in certdata.txt.

Other than what is in certdata.txt + code, there are also
certificates that are distrusted by using OneCRL.

I currently see no reason not to ship certdata.txt in all
distributions.

In any case, I think we should try to implement all the rules that
Mozilla applies in all software that deals with certificate. And
at least Mozilla is interested in that, and at least some of the
OpenSSL people would also like to see OpenSSL have more checks
than that currently happen.

Kurt

Reply to:

References:
- should ca-certificates certdata.txt synchronize across all suites?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: should ca-certificates certdata.txt synchronize across all suites?
  - From: Philipp Kern <pkern@debian.org>
- Re: should ca-certificates certdata.txt synchronize across all suites?
  - From: Guido Günther <agx@sigxcpu.org>
- Re: should ca-certificates certdata.txt synchronize across all suites?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: should ca-certificates certdata.txt synchronize across all suites?
  - From: Philipp Kern <pkern@debian.org>
- Re: should ca-certificates certdata.txt synchronize across all suites?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: should ca-certificates certdata.txt synchronize across all suites?
  - From: Philipp Kern <pkern@debian.org>
- Re: should ca-certificates certdata.txt synchronize across all suites?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: Wheezy update of ncurses?
Next by Date: Re: should ca-certificates certdata.txt synchronize across all suites?
Previous by thread: Re: should ca-certificates certdata.txt synchronize across all suites?
Next by thread: libmtp LTS update ready for testing
Index(es):
- Date
- Thread