Hi Daniel, On Saturday 07 December 2013 01:21:52 Daniel Kahn Gillmor wrote: > can we ship CAs marked as "disabled" by default? my impression is that > every CA shipped in ca-certificates right now is enabled automatically > unless the user has debconf's priority set to be more verbose than the > default.
I'm personally inclined to do something along those lines for CAcert as a way to discontinue it. > The other way to maintain the same CA set is for Someoneā¢ to fix #704180 While I like that solution (having to modify nss to add/remove certs is a PITA), I wonder how trust settings should be managed. With nss' ckbi store you can ship a certificate and indicate no trust setting for a specific use, distrust, etc. No trust setting can be determined from /etc/ssl/certs, losing important information. Do you know if there's already a plan to address that shortcoming? Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
