Hallo Christoph, am Thu, Jun 25, 2009 at 01:03:27PM +0200 hast du folgendes geschrieben: > > the point here is: I didn't do that because the universities I know > > are phasing out the non-Global variants in favour of the > Uhm... definitely not,.. at least not the Grid one... > AFAIK the policy,.. the Global ones are only used for stuff like > Websites, and so on... > But here in the - quite large ;) - Grid scene,... either DFN Grid or > GridKa-Ca certs are used within germany.
thought that but I wanted that documented in the bug report. I guess
the Grid one can be included then. But now you also raise another
certificate authority...
How would the certificate be used? Sadly I don't know how those grids
work[*]. Would users need the certificate installed or somehow the
individual nodes? (As for the latter they can be put into
/usr/local/share/ca-certificates with the newest version.)
> >(soon to be Mozilla
> > included, heh) Global one.
> Well,.. I assume you mean the Deusche Telekom Root 2?
> Again,.. I think it's quite dangerous to "move" trust more and more to a
> higher level.
> Say a user trusts DFN but doesn't think Deutsche Telekom is
> trustworthy,... he could simply activate just the DFN certs. But if
> they're not included, the only thing he can do is: trust everything that
> Deutsche Telekom trusts.
Well, it's X.509. I won't include every intermediate root out there.
I'm already happy that DTAG will be included in nss for Firefox 3.5,
so that I can get rid of that certificate in ca-certificates.
That's also why your Mozilla root example doesn't hold at all. It's not
how X.509 works. In this case Mozilla would not only sign the other
roots but issue them. There is no real cross-signing facility there.
I'm also not happy that I cannot assign trust values to certificates
like Mozilla does in their truststore, so this is kind of best effort.
> Another "problem" but probably one that doesn't belong to this
> bug-report:
> Should Debian simply take everything that Mozilla (or others) collect?
We already do that.
Kind regards,
Philipp Kern
[*] Despite being a student in Karlsruhe. Oh well. It's not that you
would get access to such things easily. ;-)
--
.''`. Philipp Kern Debian Developer
: :' : http://philkern.de Stable Release Manager
`. `' xmpp:[email protected] Wanna-Build Admin
`- finger pkern/[email protected]
signature.asc
Description: Digital signature
