Re: Debian Policy about administrator X.509 certificate stores

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
Subject: Re: Debian Policy about administrator X.509 certificate stores
From: Russ Allbery <rra@debian.org>
Date: Mon, 02 Apr 2012 12:54:59 -0700
Message-id: <[🔎] 87pqbp6h9o.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 4F79DAEC.7000407@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 02 Apr 2012 12:59:24 -0400")
References: <20110102232038.30962.75433.reportbug@localhost.localdomain> <1332213241.8043.8.camel@deadeye> <4F681415.90701@fifthhorseman.net> <[🔎] 20120402094922.GE2453@yellowpig> <[🔎] 87bona84h9.fsf@windlord.stanford.edu> <[🔎] 4F79DAEC.7000407@fifthhorseman.net>

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> There are (at least) two classes of "local certs" -- this is the core of
> all of this confusion.
> 
>  0) there are certificate authority certs that the admin wants to rely
> on for certification.
> 
>  1) there are certs used to identify TLS-capable services on the machine
> 
>  2) (additionally, there are potentially intermediate certificates that
> chain back from the certs in class 1 -- these are needed for regular
> operation if certs in class 1 was not issued directly by a root authority).

> But (AFAIK) there aren't any well-documented/clear/commonly-held
> standards for where certs in classes 1 and 2 should be placed.

> I think it would ease administration (and make it easier for various
> debian-knowledgable admins to help each other) if there was such a
> standard.

You definitely want class 0 and class 2 certs hashed into the same
directory under nearly all circumstances that don't involve being very
paranoid about the CAs that you accept, since that allows the OpenSSL
CAdir directive to work properly and is WAY easier to maintain.

It is often nice to have class 1 certs in the same location for the same
reason, although not quite as important.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>

References:
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Russ Allbery <rra@debian.org>
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Re: Debian Policy about administrator X.509 certificate stores
Next by Date: Re: Debian Policy about administrator X.509 certificate stores
Previous by thread: Re: Debian Policy about administrator X.509 certificate stores
Next by thread: Re: Debian Policy about administrator X.509 certificate stores
Index(es):
- Date
- Thread