Your message dated Mon, 5 Mar 2018 06:52:43 +0000
with message-id <bc50303d-bbab-b485-ee9b-d620f56e3...@fsfe.org>
and subject line ca-dn42 -- dn42 automatic CA root certificates
has caused the Debian Bug report #845351,
regarding RFP: ca-dn42 -- dn42 automatic CA root certificates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
845351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: wnpp
Severity: wishlist
Owner: "Iain R. Learmonth" <i...@debian.org>
* Package name : ca-dn42
Version : 20161122.0
Upstream Author : DN42.US Certificate Authority
* URL : https://ca.dn42.us/crt/
* License : BSD-2-clause
Programming Lang: X.509
Description : dn42 automatic CA root certificates
This package provides the dn42 automatic CA root certificate in PEM format.
Root certificates allow SSL-based applications to check for the
authenticity of certificates issued by the dn42 automatic CA.
Please note that these certificates are used only within the dn42 network and
do not appear on the public Internet. The root certificate has constraints
that it can only be used to sign domains ending with .dn42, and so cannot be
used to verify domains on the public Internet.
For more information on dn42, see: http://dn42.org/ or
https://en.wikipedia.org/wiki/Decentralized_network_42.
--- End Message ---
--- Begin Message ---
Hi,
I don't believe that the way that CAs are currently handled in Debian
and the way the Internet works really lends itself to having additional
CAs packaged for non-ICANN domains.
While the dn42 CA is restricted to only certain domains, there is also
the possibility that ICANN would decide to allocate .dn42 as a TLD.
There is also no guarantee that certificate handling code in Debian will
always check the constraints on the certificate.
draft-ietf-dnsop-alt-tld, if made a standard, would also not help as
this is only relating to names that are resolved without the use of the
DNS protocol.
For now I'll close this bug as I do not see a path to progressing it.
Thanks,
Iain.
--- End Message ---