Hi, > The Mozilla CA process is well documented, and perhaps streamlining a > similar process for Debian ca-certificates, modeled after Mozilla's, > might be the way to go.
I don't think we should have a separate inclusion process from Mozilla. Mozilla has a well defined policy to include CA's. With the introduction of the CABforum, the process is even getting standardised across all major browsers. I do not believe that Debian has the insights, means or resources to do better than Mozilla in verifying CA's, that is, to include more CA's than Mozilla does. If a CA can't pass the bar of CABforum or Webtrust, I don't see why in general which information Debian has to decide that it knows better and that the CA is worthy to be trusted by software in Debian while the browsers in Debian do not trust that CA. There's also the question of exits: while obviously not perfect at least the list of CA's in Mozilla is much more widely and closely monitored than the list in ca-certificates will ever be; as history has shown old, expired ca's weren't removed from Debian. By including just the Mozilla CA's we also automatically follow the scrutiny and exit policy that surrounds that. The SPI and debconf CA's are the obvious exceptions which we can include nonetheless. I don't think it's completely evident that CAcert must be included, but I can understand the special position CAcert has in the community and hence the arguments not to remove that CA. However, I believe we must not include any other CA than Mozilla's set + these three well-defined exceptions, and hence, remove all CA's currently in ca-certificates but outside this set. Cheers, Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
