[debian-mysql] Bug#671534: Use case?

Nicholas Bamber nicholas at periapt.co.uk
Sat May 5 19:00:49 UTC 2012 

Russ,
What if the location were configurable via debconf. (I  have not checked 
if it is or not). The explanatory text could offer  your choice as a 
possible location.


On 05/05/12 19:51, Russ Allbery wrote:
> Nicholas Bamber<nicholas at periapt.co.uk>  writes:
>
>> 	Although in general I am all for standardization, I am not
>> actually clear about the use case here.
>
>> 	The typical case to which you refer is a browser-like client
>> talking to a webserver-like server using certificates checkable with
>> external authorities.
>
>> 	In the MySQL case both client and server must be using MySQL code
>> at some level and the certificates are likely to be managed by an
>> authority internal to the oganization.
>
> I don't really agree with your last assumption... or at least this isn't
> true of us at Stanford.  We use commercial Comodo certificates for
> anything internal that isn't just test/dev (and increasingly for that),
> since we have a site-license for Comodo certificates and they're free.
> There's no reason not to, and using a CA that's already built into various
> software makes everything easier.  (This is likely common for US
> universities that are part of Internet2, since Internet2 negotiated a
> general agreement with Comodo.)
>
> But even apart from that, suppose it is managed by an authority internal
> to the organization.  The obvious thing to do with the certificate for
> that internal CA on a Debian system is to put it into
> /usr/local/share/ca-certificates and then let ca-certificates add it to
> all the other trusted CAs.  That way, certificates issued by your internal
> CA will transparently work with anything on a Debian system that uses SSL,
> not just web browsers.
>
> We use that same /etc/ssl/certs infrastructure for our internal Usenet
> server, for the certificates for our LDAP servers, our SMTP servers, and
> so forth.  (And indeed for LDAP and SMTP, even if you don't have free
> commercial certificates, it's usually a good idea to get commercial
> certificates so that you don't have to deal with the CA distribution
> hassle.)
>
> Also, it's worth mentioning that anyone can get free trusted certificates
> that will be verified by the /etc/ssl/certs infrastructure from
> cacert.org.
>
> I suppose the drawback to using /etc/ssl/certs by default is that people
> may not want to trust the commercial CA authorities by default, and there
> are some reasons to be concerned about that.  But, there, I think the risk
> for MySQL in most ways in which it's used is probably lower than for the
> web browser, since the MySQL clients are more likely to be on controlled
> networks and therefore less likely to be prone to easy man-in-the-middle
> attacks.
>

More information about the pkg-mysql-maint mailing list