On Tue, Mar 20, 2012 at 01:22:29AM -0400, Daniel Kahn Gillmor wrote: > [this discussion started on http://bugs.debian.org/608719] > > On 03/19/2012 11:14 PM, Ben Hutchings wrote: > >On Sun, 2011-01-02 at 18:20 -0500, Daniel Kahn Gillmor wrote: > >>It looks like dovecot-common's postinst script creates a new X.509 > >>certificate and places it in /etc/ssl/certs/dovecot.pem. This > >>certificate is for use as the IMAP or POP server's end entity > >>certificate. > >> > >>However, /etc/ssl/certs/ is used elsewhere in debian (e.g. the default > >>for wget's --ca-directory option) as a directory of legitimate root > >>certificate authorities -- *not* end entity certificates. > > > >Is this specified in any policy? If not, shouldn't it be discussed on > >debian-policy? > > Sure, that makes sense. I'm cc'ing debian-policy here. I'm not > subscribed to that list, so please keep me Cc'ed in the followup. > > >Personally, I think that it is a bad idea to treat the > >certificates in /etc/ssl/certs as automatically trusted. Even if > >packagers follow such a policy, system administrators likely will not > >read the policy and will not suspect that installing a certificate there > >has this effect.
Another issue is that no directories is provided for the system administrator to put their local certs. Of course they can use /etc/ssl/certs, but then the certs are drowned by the number. Cheers, Bill. -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120402094922.GE2453@yellowpig
