Hi Chris,
Christoph Anton Mitterer wrote:
> On Thu, 2014-03-13 at 23:09 +0100, Axel Beckert wrote:
> > With the exception that you think that ca-certificates
> > is merely the Mozilla CA package
> Well of course I know that the Mozilla/NSS packages (iceweasel, etc.pp.)
> do actually not even use ca-certificates... but looking at it, the only
> additional root cert seems to be the one from SPI.
The latter was my point, yes.
> > The administrator of a machine can easily disable certificiates he
> > doesn't trust
> IMHO it should be vice versa... ca-certificates should activate _no_
> certs per default...
You've got a point there!
> and only the admin should choose which he trusts; a task which
> neither we, nor Mozilla can reliably do for anyone (actually this is
> the inherent problem of strict hierarchical trust models and and why
> X509 is inherently broken).
*nod*
> I'd rather see ca-certificates as a collection of root certs, for which
> it is assured that they are what they claim to be (respectively blong to
> which they claim)....
> E.g. that a Verisign<something> cert is really one from Verisign... and
> that a CERN Root CA,... is really the one from CERN.
>
> There should be no (implied) statement at all about whether these root
> certs fulfil any particular policy (like WebTrust) or anything else.
I like that idea. :-)
Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
