Bug#731463: Bug#718434: Bug#731463: Bug#718434: ca-certificates: should CAcert.org be included?
Raphael Geissert
geissert at debian.org
Sat Dec 7 12:54:37 UTC 2013
Hi Daniel,
On Saturday 07 December 2013 01:21:52 Daniel Kahn Gillmor wrote:
> can we ship CAs marked as "disabled" by default? my impression is that
> every CA shipped in ca-certificates right now is enabled automatically
> unless the user has debconf's priority set to be more verbose than the
> default.
I'm personally inclined to do something along those lines for CAcert as a
way to discontinue it.
> The other way to maintain the same CA set is for Someone™ to fix #704180
While I like that solution (having to modify nss to add/remove certs is a
PITA), I wonder how trust settings should be managed. With nss' ckbi store
you can ship a certificate and indicate no trust setting for a specific use,
distrust, etc. No trust setting can be determined from /etc/ssl/certs,
losing important information.
Do you know if there's already a plan to address that shortcoming?
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the pkg-mozilla-maintainers
mailing list