Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
On Tue, Mar 20, 2012 at 01:22:29AM -0400, Daniel Kahn Gillmor wrote:
> Consider, for example, that libNSS allows the user to identify which root CAs are
> trusted to:
>
> * identify web sites,
> * identify e-mail users, or
> * sign code
>
> (some CAs may trusted for all three categories, some for only one or
> two of them).
>
> If the system store could identify these separate categories
> differently, then we could divert (or ship a modified)
> libnssckbi.so that actually drew its configuration from the admin's
> configuration choices (instead of using the hardcoded builtins).
As far as I know NSS already has this information, it even has
more options than that, but I think only those 3 are actually
used.
At least the certdata.txt file contains the information, you can
edit in iceweasel/firefox. The information only gets lots when
the ca-certificates package is created.
Kurt
Reply to: