Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Cc: Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
- Subject: Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
- From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
- Date: Mon, 2 Apr 2012 11:49:22 +0200
- Message-id: <[🔎] 20120402094922.GE2453@yellowpig>
- Mail-followup-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
- In-reply-to: <4F681415.90701@fifthhorseman.net>
- References: <20110102232038.30962.75433.reportbug@localhost.localdomain> <1332213241.8043.8.camel@deadeye> <4F681415.90701@fifthhorseman.net>
On Tue, Mar 20, 2012 at 01:22:29AM -0400, Daniel Kahn Gillmor wrote:
> [this discussion started on http://bugs.debian.org/608719]
>
> On 03/19/2012 11:14 PM, Ben Hutchings wrote:
> >On Sun, 2011-01-02 at 18:20 -0500, Daniel Kahn Gillmor wrote:
> >>It looks like dovecot-common's postinst script creates a new X.509
> >>certificate and places it in /etc/ssl/certs/dovecot.pem. This
> >>certificate is for use as the IMAP or POP server's end entity
> >>certificate.
> >>
> >>However, /etc/ssl/certs/ is used elsewhere in debian (e.g. the default
> >>for wget's --ca-directory option) as a directory of legitimate root
> >>certificate authorities -- *not* end entity certificates.
> >
> >Is this specified in any policy? If not, shouldn't it be discussed on
> >debian-policy?
>
> Sure, that makes sense. I'm cc'ing debian-policy here. I'm not
> subscribed to that list, so please keep me Cc'ed in the followup.
>
> >Personally, I think that it is a bad idea to treat the
> >certificates in /etc/ssl/certs as automatically trusted. Even if
> >packagers follow such a policy, system administrators likely will not
> >read the policy and will not suspect that installing a certificate there
> >has this effect.
Another issue is that no directories is provided for the system administrator to
put their local certs. Of course they can use /etc/ssl/certs, but then the certs are
drowned by the number.
Cheers,
Bill.
Reply to: