On Fri, May 24, 2013 at 12:32:29PM +0200, Dennis van Dok wrote: > The point I'd like to raise is that the current model of CA > certificates seems to take an all-or-nothing approach: either a CA is > trusted (for whatever purpose) or not. For the IGTF CAs, this may not > be the right approach.
One of the things I would like to see is that trust settings are part of a systemwide store. This means that you can say you trust a CA for clients, servers, email, codesigning, ... Certificated in ca-certificates mostly come from mozilla, and they already have such trust settings. However they're lost when imported in ca-certificates, so applications ussing the certificates from ca-certificates can't check that. Openssl can add such trust settings (see x509(1ssl), section TRUST SETTINGS). However it changes the format of the PEM file, and gcrypt can't read this. Kurt -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130524171833.ga14...@roeckx.be