Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
On Mon, Apr 09, 2012 at 09:52:44AM -0400, Daniel Kahn Gillmor wrote:
> On 04/07/2012 12:46 PM, Kurt Roeckx wrote:
>
> > At least the certdata.txt file contains the information, you can
> > edit in iceweasel/firefox.
>
> edit at runtime or at compile time? system administrators ideally
> shouldn't have to recompile packages in order to add or drop system-wide
> default reliance on a given CA.
iceweasel/firefox allows editing it at runtime, just like it
allows you to add more keys to it's store. I thnk it's stored in
cert8.db / cert_override.txt. But that's all per application /
user.
> > The information only gets lots when the ca-certificates package is created.
>
> I think you mean "lost" here, right?
Yes.
> Can you propose a mechanism such that this info would not get lost?
X509 has a way to embed the trust in the certificate itself, see
"TRUST SETTINGS" in openssl's x509 manpage.
Kurt
Reply to: