Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]

[Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>]

On Tue, Mar 20, 2012 at 01:22:29AM -0400, Daniel Kahn Gillmor wrote:
> [this discussion started on http://bugs.debian.org/608719]
> 
> On 03/19/2012 11:14 PM, Ben Hutchings wrote:
> >On Sun, 2011-01-02 at 18:20 -0500, Daniel Kahn Gillmor wrote:
> >>It looks like dovecot-common's postinst script creates a new X.509
> >>certificate and places it in /etc/ssl/certs/dovecot.pem.  This
> >>certificate is for use as the IMAP or POP server's end entity
> >>certificate.
> >>
> >>However, /etc/ssl/certs/ is used elsewhere in debian (e.g. the default
> >>for wget's --ca-directory option) as a directory of legitimate root
> >>certificate authorities -- *not* end entity certificates.
> >
> >Is this specified in any policy?  If not, shouldn't it be discussed on
> >debian-policy?
> 
> Sure, that makes sense.  I'm cc'ing debian-policy here.  I'm not
> subscribed to that list, so please keep me Cc'ed in the followup.
> 
> >Personally, I think that it is a bad idea to treat the
> >certificates in /etc/ssl/certs as automatically trusted.  Even if
> >packagers follow such a policy, system administrators likely will not
> >read the policy and will not suspect that installing a certificate there
> >has this effect.

Another issue is that no directories is provided for the system administrator to
put their local certs. Of course they can use /etc/ssl/certs, but then the certs are 
drowned by the number. 

Cheers,
Bill.