Re: Debian Policy about administrator X.509 certificate stores
- To: Russ Allbery <rra@debian.org>
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
- Subject: Re: Debian Policy about administrator X.509 certificate stores
- From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
- Date: Mon, 2 Apr 2012 22:23:46 +0200
- Message-id: <[🔎] 20120402202346.GB18895@yellowpig>
- Mail-followup-to: Russ Allbery <rra@debian.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
- In-reply-to: <[🔎] 87pqbp6h9o.fsf@windlord.stanford.edu>
- References: <20110102232038.30962.75433.reportbug@localhost.localdomain> <1332213241.8043.8.camel@deadeye> <4F681415.90701@fifthhorseman.net> <[🔎] 20120402094922.GE2453@yellowpig> <[🔎] 87bona84h9.fsf@windlord.stanford.edu> <[🔎] 4F79DAEC.7000407@fifthhorseman.net> <[🔎] 87pqbp6h9o.fsf@windlord.stanford.edu>
On Mon, Apr 02, 2012 at 12:54:59PM -0700, Russ Allbery wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
>
> > There are (at least) two classes of "local certs" -- this is the core of
> > all of this confusion.
> >
> > 0) there are certificate authority certs that the admin wants to rely
> > on for certification.
> >
> > 1) there are certs used to identify TLS-capable services on the machine
> >
> > 2) (additionally, there are potentially intermediate certificates that
> > chain back from the certs in class 1 -- these are needed for regular
> > operation if certs in class 1 was not issued directly by a root authority).
>
> > But (AFAIK) there aren't any well-documented/clear/commonly-held
> > standards for where certs in classes 1 and 2 should be placed.
>
> > I think it would ease administration (and make it easier for various
> > debian-knowledgable admins to help each other) if there was such a
> > standard.
>
> You definitely want class 0 and class 2 certs hashed into the same
> directory under nearly all circumstances that don't involve being very
> paranoid about the CAs that you accept, since that allows the OpenSSL
> CAdir directive to work properly and is WAY easier to maintain.
>
> It is often nice to have class 1 certs in the same location for the same
> reason, although not quite as important.
What about certificate used for wpasupplicant using WPA-EAP/TTLS ?
Where should I put them ?
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Reply to: