Re: should ca-certificates certdata.txt synchronize across all suites?
On Fri, Jul 21, 2017 at 04:47:23PM -0400, Antoine Beaupré wrote:
> On 2017-07-21 22:19:20, Philipp Kern wrote:
> > My point was that you state what your delta is and essentially boils
> > down to attach the diff of what will actually happen to the .deb. I
> > think it's generally fine to add new CAs and remove fully distrusted
> > ones, instead of saying "it should just be in sync with unstable". The
> > latter contains a lot more nuance if you know that some of the rules are
> > only available in code.
> Thank you for taking the time to clarify your position, I understand it
> much better now. :)
> Makes perfect sense, I'll try to be clearer in future communications to
> avoid such confusion.
Mozilla has various extra distrust/partial trust rules that are now
coded in either NSS or Firefox itself. But we're not even using the
distrust/partial trust information currently in certdata.txt.
Other than what is in certdata.txt + code, there are also
certificates that are distrusted by using OneCRL.
I currently see no reason not to ship certdata.txt in all
In any case, I think we should try to implement all the rules that
Mozilla applies in all software that deals with certificate. And
at least Mozilla is interested in that, and at least some of the
OpenSSL people would also like to see OpenSSL have more checks
than that currently happen.