On Sun, 22 Feb 2026 12:19:06 +0100 Chris Hofstaedtler wrote: > On Sat, Feb 21, 2026 at 06:25:47PM +0100, Simon Josefsson wrote: > > Not thinking of any of those CAs specifically, but generally, I wonder > > if Debian's users are served by having all of the WebPKI CAs enabled by > > default. > [..] > > One simple criteria could be that the CA supports Certificate > > Transparency and offer a public log of all their issued certificates, > > I was going to say that WebPKI already requires that, however it > appears this might not be a WebPKI requirement per se, but what the > big platforms require (Chrome, Firefox, Apple, Microsoft).
They require that for a subset of certificates: those used for TLS servers. Not sure about TLS client (only) or code signing certificates, but I don't know of any S/MIME certificates in CT logs. As far as I understand Chrome will require roots that only issue TLS server certificates for their browser trust store, but shipping S/MIME CAs seems useful for a system trust store not limited to web browsers. Ansgar
