On Thu, 2009-06-25 at 07:57 +0200, Philipp Kern wrote: > am Thu, Jun 25, 2009 at 04:17:00AM +0200 hast du folgendes > geschrieben: > > 2) As far as I can see, only ONE of DFN's root certs is > "cross-signed" > > by Deutsche Telekom, namely the "DFN-Verein PCA Global - G01". > > The others: > > DFN-Verein PCA Classic - G01 > > DFN-Verein PCA Grid - G01 > > DFN-Verein PCA Basic - G01 > > are not covered by this, but are still very interesting. > > the point here is: I didn't do that because the universities I know > are > phasing out the non-Global variants in favour of the Uhm... definitely not,.. at least not the Grid one... AFAIK the policy,.. the Global ones are only used for stuff like Websites, and so on... But here in the - quite large ;) - Grid scene,... either DFN Grid or GridKa-Ca certs are used within germany.
And I think even the other are interesting,.. they're still used. Maybe not that much as Global and Grid,... but probably even more than some others, that are part of ca-certificates. >(soon to be Mozilla > included, heh) Global one. Well,.. I assume you mean the Deusche Telekom Root 2? Again,.. I think it's quite dangerous to "move" trust more and more to a higher level. Say a user trusts DFN but doesn't think Deutsche Telekom is trustworthy,... he could simply activate just the DFN certs. But if they're not included, the only thing he can do is: trust everything that Deutsche Telekom trusts. Another "problem" but probably one that doesn't belong to this bug-report: Should Debian simply take everything that Mozilla (or others) collect? Best wishes, Chris.
smime.p7s
Description: S/MIME cryptographic signature
