Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
Subject: Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
From: Kurt Roeckx <kurt@roeckx.be>
Date: Mon, 9 Apr 2012 16:35:53 +0200
Message-id: <[🔎] 20120409143553.GA12015@roeckx.be>
In-reply-to: <[🔎] 4F82E9AC.40103@fifthhorseman.net>
References: <20110102232038.30962.75433.reportbug@localhost.localdomain> <1332213241.8043.8.camel@deadeye> <4F681415.90701@fifthhorseman.net> <[🔎] 20120407164624.GA12323@roeckx.be> <[🔎] 4F82E9AC.40103@fifthhorseman.net>

On Mon, Apr 09, 2012 at 09:52:44AM -0400, Daniel Kahn Gillmor wrote:
> On 04/07/2012 12:46 PM, Kurt Roeckx wrote:
> 
> > At least the certdata.txt file contains the information, you can
> > edit in iceweasel/firefox.
> 
> edit at runtime or at compile time?  system administrators ideally
> shouldn't have to recompile packages in order to add or drop system-wide
> default reliance on a given CA.

iceweasel/firefox allows editing it at runtime, just like it
allows you to add more keys to it's store.  I thnk it's stored in
cert8.db / cert_override.txt.  But that's all per application /
user.

> > The information only gets lots when the ca-certificates package is created.
> 
> I think you mean "lost" here, right?

Yes.

> Can you propose a mechanism such that this info would not get lost?

X509 has a way to embed the trust in the certificate itself, see
"TRUST SETTINGS" in openssl's x509 manpage.

Kurt

Reply to:

Follow-Ups:
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

References:
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>