Re: Add my CA cert in trusted certs

To: debian-project@lists.debian.org
Subject: Re: Add my CA cert in trusted certs
From: Russ Allbery <rra@debian.org>
Date: Tue, 15 Jun 2021 08:19:21 -0700
Message-id: <[🔎] 87pmwnyx3a.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 60c85a32.1c69fb81.b6d6.b3a6@mx.google.com> ("Миша"'s message of "Tue, 15 Jun 2021 10:43:42 +0300")
References: <[🔎] 60c85a32.1c69fb81.b6d6.b3a6@mx.google.com>

Миша <aleksmisha991@gmail.com> writes:

> "This is neither easy nor cheap, and we cannot help
> you with that either." You can add my cert in source code.

Right, but we won't.  This is nothing against you personally (I know
absolutely nothing about your CA or how you run it).  It's for several
other reasons:

1. Verifying certificate authorities use good practices is a complex and
   complicated problem that is way outside of Debian's area of expertise.

2. It's not very useful and causes lots of problems if different
   distributions use different sets of trusted certificates.  There's a
   lot of merit in standardizing the default trusted root CA list across
   multiple distributions and web browsers.

We instead defer decisions about the default trusted root CA certificates
to Mozilla and copy their trusted store.  For local root CAs, we provide a
mechanism for you to install your own trusted certs on the systems you
maintain.  See /usr/share/doc/ca-certificates/README.Debian for more
details.

For most situations, the right answer is either to use Let's Encrypt (for
public-facing services) or to automate installing your own CA on your
systems (for private PKIs).

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Add my CA cert in trusted certs
  - From: Миша <aleksmisha991@gmail.com>

Prev by Date: Re: Add my CA cert in trusted certs
Next by Date: Debian Maintainers Keyring changes
Previous by thread: Re: Add my CA cert in trusted certs
Next by thread: Debian Maintainers Keyring changes
Index(es):
- Date
- Thread