Bug#702329: RFS update

[Dennis van Dok <dennisvd@nikhef.nl>]

On 20-06-13 13:04, Ansgar Burchardt wrote:
> Hi,
> 
> I don't plan to sponsor this package, but here is one comment:
> 
> On 06/20/2013 11:34, Dennis van Dok wrote:
>>  igtf-policy-classic - IGTF classic profile for Authority Root Certificates
>>  igtf-policy-experimental - IGTF experimental Authority Root Certificates
>>  igtf-policy-mics - IGTF MICS profile for Authority Root Certificates
>>  igtf-policy-slcs - IGTF SLCS profile for Authority Root Certificates
>>  igtf-policy-unaccredited - IGTF unaccredited Authority Root Certificates
> 
> Why are these multiple binary packages? I would assume they should just
> be installed into different locations.

The full collection contains certificates for CAs that are not
accredited (yet), so typically you don't want them installed at all. The
distinction between classic, MICS (member-integrated) and SLCS
(short-lived credentials) is the profile as defined by the IGTF. The
admin should be aware of the differences in these policies.

Although there is an option to exclude certain CAs from being trusted,
the default is to trust all (accredited) CAs that are installed.

> A sponsor should check the integrity of the certificates. How could he
> do this?

I can bring the sponsor in personal contact with David Groep, who is a
member of the IGTF and upstream distributor.