Dennis van Dok wrote:
> Justin B Rye wrote:
>> I suspect you'll see a second draft of this...
[...]
>> Maybe:
>> Please specify whether the IGTF Certification Authority certificates for
>> the @PROFILE@ profile should be installed as trusted in
>> /etc/grid-security/certificates.
>
> Somehow "installed as trusted" feels like it might mean more than just
> "installed", where it is really "installed, and therefore trusted". It's
> the ambiguity of the language I guess.
I thought about adding parentheses: "installed (as trusted)". But
that seemed fussy, and then I ended up doing it completely differently
anyway:
[...]
>> Rethinking what the actual question is... should it perhaps be
>>
>> _Description: Trust IGTF @PROFILE@ CAs by default?
>> Trusted IGTF Certification Authority certificates are installed in
>> /etc/grid-security/certificates.
>> .
>> Accept this option to have certificates included by default unless they
>> are explicitly excluded. Reject it to choose the reverse policy,
>> excluding them unless explicitly included.
>> .
>> You will then have the opportunity to define the list of exceptions.
>
> That's bang on, although I'm still not sure about the 'trust' in the
> synopsis.
I'd like to avoid just saying "install". This is a prompt that
comes up while the user is installing a package; asking if they
want to install the files that are part of that package is
confusing. Of course it's clearer when there's room to say "in
directory foo", but even then there's the problem that merely
asking whether files should be put in a directory fails to convey
the significance of the decision.
We could try something like "include certificates in trusted
set", but on the whole I think this'll do - compare
"Trust new certificates from certificate authorities?"
in (/var/lib/dpkg/info/)ca-certificates.templates.
>> Meanwhile in the control file...
>>
>>> Package: igtf-policy-classic
>> [...]
>>> Description: IGTF classic profile for Authority Root Certificates
>>
>> I know what a Root Certificate Authority is, and I can imagine what a
>> Root Authority Certificate might be, but what on earth is an
>> "Authority Root Certificate"? Google shows me no hits that aren't
>> either copies of this text or random chunks out of the middle of some
>> longer string of nouns (usually "Something Certificate Authority
>> Root Certificate Something Somethings"). I strongly suspect this is
>> garbled and should be... um... "CA Root Certificates", perhaps? Or
>> just "root certificates", since after all, that's what it calls them
>> below...
>
> I think 'Certificate Authorities' is best. After all, not all these are
> in fact *Root* CAs. Some of them are intermediates.
So:
Description: IGTF classic profile for Certificate Authorities
>>> The International Grid Trust Federation (IGTF) maintains a common
>>
>> There's another confusing issue here: http://www.igtf.net/ says the
>> IGTF is the "InterOPERABLE GLOBAL Trust Federation". On the other
>> hand, the organisation's charter definitely calls it the InterNATIONAL
>> GRID Trust Federation. Has it officially changed?
>
> I could ask but I've never heard it referred to as Interoperable or Global.
I notice the HTML source on their homepage also has commented-out
mentions of the International Grid version... oh well, as long as
nobody's asking me to sign their GPG key.
>> The International Grid Trust Federation (IGTF) maintains a common trust
>> base for the benefit of distributed science and research computing
>> infrastructures. It provides a list of accredited trust anchors, with
>> root certificates, certificate revocation list locations, contact
>> information, and signing policies.
>
> Already much better!
"Distributed science and research computing infrastructures" is
still a bit unclear. Plausible parsings include:
* distributed-science and research-computing infrastructures
* distributed-science-and-research computing-infrastructures
* distributed science-and-research-computing infrastructures
Fortunately they're all much of a muchness...
>> [...]
>>> Package: igtf-policy-unaccredited
>> [...]
>>> Description: IGTF unaccredited Authority Root Certificates
>>
>> If the certificates are unaccredited, what do they claim to certify?
>> Or is it talking about unaccredited CAs?
>
> Yes, the CAs are unaccredited so it should probably read: "IGTF
> unaccredited Certificate Authorities"
And this brings it into line with the others.
Second draft changing just those synopses attached.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
diff -ru igtf-policy-bundle-1.56.pristine/debian/control
igtf-policy-bundle-1.56/debian/control
--- igtf-policy-bundle-1.56.pristine/debian/control 2014-04-17
15:23:47.000000000 +0100
+++ igtf-policy-bundle-1.56/debian/control 2014-04-30 12:25:36.537763697
+0100
@@ -14,13 +14,12 @@
Depends: ${misc:Depends}
Recommends: fetch-crl, openssl
Suggests: ca-certificates
-Description: IGTF classic profile for Authority Root Certificates
- The International Grid Trust Federation (IGTF) maintains a common
- trust base for the benefit of distributed science and research
- computing infrastructures by maintaining a list of trust anchors, for
- accredited authorities. The distribution contains root certificates,
- certificate revocation list (CRL) locations, contact information, and
- signing policies.
+Description: IGTF classic profile for Certificate Authorities
+ The International Grid Trust Federation (IGTF) maintains a common trust
+ base for the benefit of distributed science and research computing
+ infrastructures. It provides a list of accredited trust anchors, with
+ root certificates, certificate revocation list locations, contact
+ information, and signing policies.
.
This package contains the trust anchors for the classic profile.
@@ -29,13 +28,12 @@
Depends: ${misc:Depends}
Recommends: fetch-crl, openssl
Suggests: ca-certificates
-Description: IGTF MICS profile for Authority Root Certificates
- The International Grid Trust Federation (IGTF) maintains a common
- trust base for the benefit of distributed science and research
- computing infrastructures by maintaining a list of trust anchors, for
- accredited authorities. The distribution contains root certificates,
- certificate revocation list (CRL) locations, contact information, and
- signing policies.
+Description: IGTF MICS profile for Certificate Authorities
+ The International Grid Trust Federation (IGTF) maintains a common trust
+ base for the benefit of distributed science and research computing
+ infrastructures. It provides a list of accredited trust anchors, with
+ root certificates, certificate revocation list locations, contact
+ information, and signing policies.
.
This package contains the trust anchors for the MICS (Member Integrated
Credential Services) profile.
@@ -45,13 +43,12 @@
Depends: ${misc:Depends}
Recommends: fetch-crl, openssl
Suggests: ca-certificates
-Description: IGTF SLCS profile for Authority Root Certificates
- The International Grid Trust Federation (IGTF) maintains a common
- trust base for the benefit of distributed science and research
- computing infrastructures by maintaining a list of trust anchors, for
- accredited authorities. The distribution contains root certificates,
- certificate revocation list (CRL) locations, contact information, and
- signing policies.
+Description: IGTF SLCS profile for Certificate Authorities
+ The International Grid Trust Federation (IGTF) maintains a common trust
+ base for the benefit of distributed science and research computing
+ infrastructures. It provides a list of accredited trust anchors, with
+ root certificates, certificate revocation list locations, contact
+ information, and signing policies.
.
This package contains the trust anchors for the SLCS (Short Lived
Credential Services) profile.
@@ -61,13 +58,12 @@
Depends: ${misc:Depends}
Recommends: openssl
Suggests: ca-certificates
-Description: IGTF unaccredited Authority Root Certificates
- The International Grid Trust Federation (IGTF) maintains a common
- trust base for the benefit of distributed science and research
- computing infrastructures by maintaining a list of trust anchors, for
- accredited authorities. The distribution contains root certificates,
- certificate revocation list (CRL) locations, contact information, and
- signing policies.
+Description: IGTF unaccredited Certificate Authorities
+ The International Grid Trust Federation (IGTF) maintains a common trust
+ base for the benefit of distributed science and research computing
+ infrastructures. It provides a list of accredited trust anchors, with
+ root certificates, certificate revocation list locations, contact
+ information, and signing policies.
.
This package contains several unaccredited trust anchors. Use with
caution, as they come without any guarantees.
@@ -77,13 +73,12 @@
Depends: ${misc:Depends}
Recommends: openssl
Suggests: ca-certificates
-Description: IGTF experimental Authority Root Certificates
- The International Grid Trust Federation (IGTF) maintains a common
- trust base for the benefit of distributed science and research
- computing infrastructures by maintaining a list of trust anchors, for
- accredited authorities. The distribution contains root certificates,
- certificate revocation list (CRL) locations, contact information, and
- signing policies.
+Description: IGTF experimental Certificate Authorities
+ The International Grid Trust Federation (IGTF) maintains a common trust
+ base for the benefit of distributed science and research computing
+ infrastructures. It provides a list of accredited trust anchors, with
+ root certificates, certificate revocation list locations, contact
+ information, and signing policies.
.
This package contains several experimental trust anchors. Use with
caution, as they come without any guarantees.
diff -ru igtf-policy-bundle-1.56.pristine/debian/templates.in
igtf-policy-bundle-1.56/debian/templates.in
--- igtf-policy-bundle-1.56.pristine/debian/templates.in 2014-04-17
15:23:47.000000000 +0100
+++ igtf-policy-bundle-1.56/debian/templates.in 2014-04-29 20:46:16.984527381
+0100
@@ -1,23 +1,26 @@
Template: igtf-policy-@PROFILE@/install_profile
Type: boolean
Default: true
-_Description: Install the IGTF @PROFILE@ CAs in
/etc/grid-security/certificates?
- This package installs the IGTF CAs in /etc/grid-security/certificates.
- There are two ways to deal with these certificates:
- - yes: install all, except those in the exclude list
- - no: install only CAs in the include list.
- The include/exclude lists are covered by the next question.
+_Description: Trust IGTF @PROFILE@ CAs by default?
+ Trusted IGTF Certification Authority certificates are installed in
+ /etc/grid-security/certificates.
+ .
+ Accept this option to have certificates included by default unless they
+ are explicitly excluded. Reject it to choose the reverse policy,
+ excluding them unless explicitly included.
+ .
+ You will then have the opportunity to define the list of exceptions.
Template: igtf-policy-@PROFILE@/exclude_ca
Type: multiselect
Choices: ${exclude_ca}
-_Description: Certificates to explicitly exclude
- Select which certificates should not be installed in
+_Description: Certificates to explicitly exclude:
+ Please select which certificates should not be installed in
/etc/grid-security/certificates.
Template: igtf-policy-@PROFILE@/include_ca
Type: multiselect
Choices: ${include_ca}
-_Description: Certificates to explicitly include
- Select which certificates should be installed in
+_Description: Certificates to explicitly include:
+ Please select which certificates should be installed in
/etc/grid-security/certificates.
Template: igtf-policy-@PROFILE@/install_profile
Type: boolean
Default: true
_Description: Trust IGTF @PROFILE@ CAs by default?
Trusted IGTF Certification Authority certificates are installed in
/etc/grid-security/certificates.
.
Accept this option to have certificates included by default unless they
are explicitly excluded. Reject it to choose the reverse policy,
excluding them unless explicitly included.
.
You will then have the opportunity to define the list of exceptions.
Template: igtf-policy-@PROFILE@/exclude_ca
Type: multiselect
Choices: ${exclude_ca}
_Description: Certificates to explicitly exclude:
Please select which certificates should not be installed in
/etc/grid-security/certificates.
Template: igtf-policy-@PROFILE@/include_ca
Type: multiselect
Choices: ${include_ca}
_Description: Certificates to explicitly include:
Please select which certificates should be installed in
/etc/grid-security/certificates.
Source: igtf-policy-bundle
Section: misc
Priority: extra
Maintainer: Dennis van Dok <denni...@nikhef.nl>
Build-Depends: debhelper (>= 8.0.0), po-debconf
Standards-Version: 3.9.5
Homepage: http://www.igtf.net/
Vcs-Git: git://g...@github.com:dvandok/igtf-policy-bundle.git
Vcs-Browser: https://github.com/dvandok/igtf-policy-bundle
Package: igtf-policy-classic
Architecture: all
Depends: ${misc:Depends}
Recommends: fetch-crl, openssl
Suggests: ca-certificates
Description: IGTF classic profile for Certificate Authorities
The International Grid Trust Federation (IGTF) maintains a common trust
base for the benefit of distributed science and research computing
infrastructures. It provides a list of accredited trust anchors, with
root certificates, certificate revocation list locations, contact
information, and signing policies.
.
This package contains the trust anchors for the classic profile.
Package: igtf-policy-mics
Architecture: all
Depends: ${misc:Depends}
Recommends: fetch-crl, openssl
Suggests: ca-certificates
Description: IGTF MICS profile for Certificate Authorities
The International Grid Trust Federation (IGTF) maintains a common trust
base for the benefit of distributed science and research computing
infrastructures. It provides a list of accredited trust anchors, with
root certificates, certificate revocation list locations, contact
information, and signing policies.
.
This package contains the trust anchors for the MICS (Member Integrated
Credential Services) profile.
Package: igtf-policy-slcs
Architecture: all
Depends: ${misc:Depends}
Recommends: fetch-crl, openssl
Suggests: ca-certificates
Description: IGTF SLCS profile for Certificate Authorities
The International Grid Trust Federation (IGTF) maintains a common trust
base for the benefit of distributed science and research computing
infrastructures. It provides a list of accredited trust anchors, with
root certificates, certificate revocation list locations, contact
information, and signing policies.
.
This package contains the trust anchors for the SLCS (Short Lived
Credential Services) profile.
Package: igtf-policy-unaccredited
Architecture: all
Depends: ${misc:Depends}
Recommends: openssl
Suggests: ca-certificates
Description: IGTF unaccredited Certificate Authorities
The International Grid Trust Federation (IGTF) maintains a common trust
base for the benefit of distributed science and research computing
infrastructures. It provides a list of accredited trust anchors, with
root certificates, certificate revocation list locations, contact
information, and signing policies.
.
This package contains several unaccredited trust anchors. Use with
caution, as they come without any guarantees.
Package: igtf-policy-experimental
Architecture: all
Depends: ${misc:Depends}
Recommends: openssl
Suggests: ca-certificates
Description: IGTF experimental Certificate Authorities
The International Grid Trust Federation (IGTF) maintains a common trust
base for the benefit of distributed science and research computing
infrastructures. It provides a list of accredited trust anchors, with
root certificates, certificate revocation list locations, contact
information, and signing policies.
.
This package contains several experimental trust anchors. Use with
caution, as they come without any guarantees.
