Your message dated Wed, 06 Sep 2017 19:24:08 +0200
with message-id <[email protected]>
and subject line Re: Bug#874120: ca-certificates: should "TUBITAK Kamu SM SSL
Kok Sertifikasi - Surum 1" be trusted by default?
has caused the Debian Bug report #874120,
regarding ca-certificates: should "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum
1" be trusted by default?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
874120: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874120
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ca-certificates
Version: 20170717
Severity: normal
Hi,
ca-certificates 20170717 added the "TUBITAK Kamu SM SSL Kok Sertifikasi
- Surum 1" CA, but when that was added to nss it was restricted to a
small set of domains[1]. Thus I wonder if it wouldn't be better to
blacklist it from ca-certificates, since we can't encode this kind of
constraint.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1349705
Cheers,
Julien
--- End Message ---
--- Begin Message ---
Fair enough. I just figured I'd raise this and don't have a strong opinion
either way, so I'll just close this now. Thanks.
Cheers,
Julien
On September 6, 2017 7:16:13 PM GMT+02:00, Michael Shuler
<[email protected]> wrote:
>On 09/03/2017 09:09 AM, Julien Cristau wrote:
>> ca-certificates 20170717 added the "TUBITAK Kamu SM SSL Kok
>Sertifikasi
>> - Surum 1" CA, but when that was added to nss it was restricted to a
>> small set of domains[1]. Thus I wonder if it wouldn't be better to
>> blacklist it from ca-certificates, since we can't encode this kind of
>> constraint.
>>
>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1349705
>
>There are a number of technically constrained CAs. I'm not sure
>blacklisting would be the right answer for Debian/derivative users,
>since that makes the CA certificate completely uninstalled by the
>package and never able to be used. In the best case scenario, the CA
>abides by the technical constraints and never issues a certificate
>outside of their allowed domains, and there are no problems. I
>understand this isn't an ideal world, security issues happen, but I
>also
>don't wish to punish users of a technically constrained CA, since
>there's no mechanism in ca-certificates for this check, like there is
>in
>NSS.
>
>I don't have a great idea at the moment, but do think blacklisting a
>technically constrained CA is a bit heavy handed.
>
>--
>Michael
--- End Message ---
