On Mon, Apr 09, 2012 at 09:52:44AM -0400, Daniel Kahn Gillmor wrote: > On 04/07/2012 12:46 PM, Kurt Roeckx wrote: > > > At least the certdata.txt file contains the information, you can > > edit in iceweasel/firefox. > > edit at runtime or at compile time? system administrators ideally > shouldn't have to recompile packages in order to add or drop system-wide > default reliance on a given CA.
iceweasel/firefox allows editing it at runtime, just like it allows you to add more keys to it's store. I thnk it's stored in cert8.db / cert_override.txt. But that's all per application / user. > > The information only gets lots when the ca-certificates package is created. > > I think you mean "lost" here, right? Yes. > Can you propose a mechanism such that this info would not get lost? X509 has a way to embed the trust in the certificate itself, see "TRUST SETTINGS" in openssl's x509 manpage. Kurt -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120409143553.ga12...@roeckx.be
