Jaldhar H. Vyas wrote: > In bug #376146, Martin Pitt wrote: > > > In an effort to clean up the SSL certificate mess on Ubuntu servers, we > > recently converted all our supported Server packages to make use of > > the ssl-cert package instead of creating a package-specific > > self-signed SSL certificate. This allows admins to easily replace the > > certificate with a 'real' one without touching dozens of configuration > > files, and also provides a consistent setup out of the box. > > Is this is a good idea for Debian? I think it is but it doesn't make sense > to switch dovecot over unless all the other ssl-cert using packages also do > it. Is this possible in the etch timeframe?
I believe that this is a good idea, however, I would like to propose a slightly different approach. At the moment, it seems that all applications use their own certificates and maybe also create them upon installation or rather configuration. It may be useful to have a certificate for each service, but it may also be useful to have one certificate for all services. This may be discussible but needs to be decided by the local admin anyway. Hence, we should try to make both ways easily implementable, especially if the system is to be reviewed or redesigned. Hence, I propose to stay with virtual per-service certificates, but to link them to the common snakeoil certificate from ssl-certificates during configuration and only if there is no other setting. For example: Dovecot uses </etc/ssl/certs/dovecot.pem>. This is a symbolic link to </etc/ssl/certs/ssl-cert-snakeoil.pem> if the above file or link does not exist during configuration of dovecot. That way, the admin can easily replace the symlink with a real certificate if they want per-service certificates. If, however, they want to have one real certificate for everything, they can replace the snakeoil certificate like Martin Pitt proposed. I would like to see some coordination between maintainers of packages that use or create such certificates. It'll take a while to implement this anyway, so if only a few packages start and others follow later, that'd be an improvement anyway. Regards, Joey -- Open source is important from a technical angle. -- Linus Torvalds Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]