On Thu, 2014-03-13 at 23:09 +0100, Axel Beckert wrote: > With the exception that you think that ca-certificates > is merely the Mozilla CA package Well of course I know that the Mozilla/NSS packages (iceweasel, etc.pp.) do actually not even use ca-certificates... but looking at it, the only additional root cert seems to be the one from SPI.
> The administrator of a machine can easily disable certificiates he > doesn't trust IMHO it should be vice versa... ca-certificates should activate _no_ certs per default... and only the admin should choose which he trusts; a task which neither we, nor Mozilla can reliably do for anyone (actually this is the inherent problem of strict hierarchical trust models and and why X509 is inherently broken). I'd rather see ca-certificates as a collection of root certs, for which it is assured that they are what they claim to be (respectively blong to which they claim).... E.g. that a Verisign<something> cert is really one from Verisign... and that a CERN Root CA,... is really the one from CERN. There should be no (implied) statement at all about whether these root certs fulfil any particular policy (like WebTrust) or anything else. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
