Bug#666229: ITP: igtf-policy-bundle -- IGTF profiles for Authority Root Certificates

To: Christoph Anton Mitterer <calestyo@scientia.net>, 666229@bugs.debian.org
Subject: Bug#666229: ITP: igtf-policy-bundle -- IGTF profiles for Authority Root Certificates
From: Dennis van Dok <dennisvd@nikhef.nl>
Date: Mon, 16 Apr 2012 16:08:33 +0200
Message-id: <[🔎] 4F8C27E1.7080705@nikhef.nl>
Reply-to: Dennis van Dok <dennisvd@nikhef.nl>, 666229@bugs.debian.org
In-reply-to: <1333162060.3382.226.camel@fermat.scientia.net>
References: <20120329212923.1102.40995.reportbug@localhost6.localdomain6> <1333107608.3382.15.camel@fermat.scientia.net> <4F7643E9.4040801@nikhef.nl> <1333162060.3382.226.camel@fermat.scientia.net>

Op 31-03-12 04:47, Christoph Anton Mitterer wrote:
> On Sat, 2012-03-31 at 01:38 +0200, Dennis van Dok wrote:
>> It's better not to get these things mixed up too much.
> Definitely.
> I agree that the actual PEM files should be placed
> in /usr/share/ca-certificates/ and I'd propose a structure like this:
> /usr/share/ca-certificates/igtf/classic
> /usr/share/ca-certificates/igtf/slcs
> /usr/share/ca-certificates/igtf/mlcs
That's *almost* how I've packaged it.

> One thing I just recall:
> OpenSSL hash links... pre/post 1.0 format.
> 
> I'm not sure what I prefer:
> a) ship/create symlinks for both formats
> b) ship/create symlinks for post 1.0 only

I went with a) at the moment. That is what 'upstream' does and it's
really handy for legacy software.

> But I guess this is a separate debconf thingy,... configuring what you
> put in /etc/grid-security and not the one from ca-certificates?

yes

> /etc/grid-security should then _only_ contain symlinks, IMHO.

Agreed, and that's how it works.

> Not sure if this is easily possible, but it would be nice, if the cert
> selection was somehow sorted by the respective PMA.. and perhaps when
> you see the country code of the respective CA.

I'm not sure how I could easily implement this. I don't see this as such
an urgent matter, and as I'm apolitical I don't understand what the fuss
is about.

> Splitting the file hierarchy would make sense here, as people quickly
> recognise which type (i.e. MLCS/SLCS) a cert is of.

This is indeed split into different packages.

> I revised my idea,.. ALL (that are installed) should show up... but one
> should be able to see where they're belonging to, which is easily
> possible via the path.

Agreed.

>>  but there may even be some from the 'unaccredited' set
>> that you would want to have in ca-certificates (e.g. the TERENA-SSL-CA).
> TERENA is in unaccredited,.. damn...
> Nevertheless, I think if you follow my idea to split the packages and
> make one metapackage, I would NOT depend on the -unaccredited
> package.... at most suggest it.. but even that is questionable, because
> while specifically TERENA is likely generally useful, for the main
> purpose of IGTF it's not.

Rather than start a lot of fuss here...maybe TERENA could be included in
the ca-certificates package. It takes only a couple of sponsors IIRC.

> 
> For the ca-certifcates part... it's anyway up the the admin to decide
> (if he configured ask,... if he did not one can't help him ;) )
> Well on the other hand... uhm... I'm just thinking what a meta package
> should do (if you split up)....

I haven't given the metapackage a thought yet. I also don't see the need
as there are just three packages for all the accredited stuff. Better to
make it a conscious choice.

> No I don't mean older versions...
> IGTF updates quite often... once the packages are in stable (e.g.
> wheezy) we still would need to update it...
> I guess "stable-updates" is what this is called in the meantime.

Sure, if upstream brings out a new version, the Debian stable package
would have to be updated. Isn't this essentially a security fix?

>>> When you're from NIKHEF	you can probably easily get David's OpenPGP key
>>> in a secure way to add only securely downloaded igtf bundles to
>>> Debian :)
>>
>> Nothing NIKHEF specific here,
> I thought David Groep is from NIKHEF? And he signed the key that is used
> to sign the eugridpma distripution key...

Well, sure. And I'll take his word that it's the right bundle ;-) He's
practically in the next office.

I can promise that I will diligently check the signatures, but then
you'll have to trust me that I will do as I say...


>> I'm all for a further discussion of how to do this properly for Debian;
>> I've put a lot of my own thought into this and I've reflected this with
>> others, notably the upstream maintainer, but I still consider this very
>> much as an initial attempt.
> 
> Well I guess you're on a good way... especially your idea to separate
> between ca-certificates an another debconf for grid-security....
> => +1

Thanks,

Dennis

-- 
D.H. van Dok :: Software Engineer :: www.nikhef.nl :: www.biggrid.nl
Phone +31 20 592 22 28 :: http://www.nikhef.nl/~dennisvd/

Reply to:

Follow-Ups:
- Bug#666229: ITP: igtf-policy-bundle -- IGTF profiles for Authority Root Certificates
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#669009: RFA: bzr-rewrite -- History rewriting plugin for Bazaar
Next by Date: Bug#668665: ITP: gnac -- audio converter for GNOME (Git package ready)
Previous by thread: Bug#669009: RFA: bzr-rewrite -- History rewriting plugin for Bazaar
Next by thread: Bug#666229: ITP: igtf-policy-bundle -- IGTF profiles for Authority Root Certificates
Index(es):
- Date
- Thread