Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]

To: Kurt Roeckx <kurt@roeckx.be>
Cc: Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
Subject: Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 09 Apr 2012 09:52:44 -0400
Message-id: <[🔎] 4F82E9AC.40103@fifthhorseman.net>
In-reply-to: <[🔎] 20120407164624.GA12323@roeckx.be>
References: <20110102232038.30962.75433.reportbug@localhost.localdomain> <1332213241.8043.8.camel@deadeye> <4F681415.90701@fifthhorseman.net> <[🔎] 20120407164624.GA12323@roeckx.be>

On 04/07/2012 12:46 PM, Kurt Roeckx wrote:

> At least the certdata.txt file contains the information, you can
> edit in iceweasel/firefox.

edit at runtime or at compile time?  system administrators ideally
shouldn't have to recompile packages in order to add or drop system-wide
default reliance on a given CA.

> The information only gets lots when the ca-certificates package is created.

I think you mean "lost" here, right?  Can you propose a mechanism such
that this info would not get lost?

	--dkg

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Kurt Roeckx <kurt@roeckx.be>