On 12/06/2013 07:13 PM, Michael Shuler wrote: > #2 - All CAs included in ca-certificates are available to have the trust > turned off. If you have a concern about a particular CA and do not > trust them, disable that CA.
can we ship CAs marked as "disabled" by default? my impression is that
every CA shipped in ca-certificates right now is enabled automatically
unless the user has debconf's priority set to be more verbose than the
default.
> I'll keep thinking about it. If the Debian NSS maintainer has a strong
> opinion to remove CAcert's roots, then the same will happen in
> ca-certificates, in order to maintain the same CA set.
The other way to maintain the same CA set is for Someoneā¢ to fix #704180
--dkg
signature.asc
Description: OpenPGP digital signature
