Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
Subject: Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sat, 7 Apr 2012 18:46:24 +0200
Message-id: <[🔎] 20120407164624.GA12323@roeckx.be>
In-reply-to: <4F681415.90701@fifthhorseman.net>
References: <20110102232038.30962.75433.reportbug@localhost.localdomain> <1332213241.8043.8.camel@deadeye> <4F681415.90701@fifthhorseman.net>

On Tue, Mar 20, 2012 at 01:22:29AM -0400, Daniel Kahn Gillmor wrote:
> Consider, for example, that libNSS allows the user to identify which root CAs are
> trusted to:
> 
>  * identify web sites,
>  * identify e-mail users, or
>  * sign code
> 
> (some CAs may trusted for all three categories, some for only one or
> two of them).
> 
> If the system store could identify these separate categories
> differently, then we could  divert (or ship a modified)
> libnssckbi.so that actually drew its configuration from the admin's
> configuration choices (instead of using the hardcoded builtins).

As far as I know NSS already has this information, it even has
more options than that, but I think only those 3 are actually
used.

At least the certdata.txt file contains the information, you can
edit in iceweasel/firefox.  The information only gets lots when
the ca-certificates package is created.

Kurt

Reply to:

Follow-Ups:
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Re: Debian Policy about administrator X.509 certificate stores
Next by Date: Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
Previous by thread: Re: Debian Policy about administrator X.509 certificate stores
Next by thread: Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
Index(es):
- Date
- Thread