On Fri, 10 May 2024 at 15:36, Steve McIntyre <st...@einval.com> wrote: > > On Fri, May 10, 2024 at 04:29:00PM +0200, Ansgar 🙀 wrote: > >Hi, > > > >On Fri, 2024-05-10 at 15:20 +0100, Luca Boccassi wrote: > >> On Thu, 04 Apr 2024 20:41:59 +0100 Luca Boccassi <bl...@debian.org> > >> > On IRC Steve mentioned that he's ok with proceeding with this. > >> > jcristau from DSA said that it's the FTP team that should confirm the > >> > request > >> > for the new intermediate signer cert for systemd-boot to DSA. > >> > > >> > FTP team, are you ok with proceeding with this? If so, would it be > >> > possible to have an ACK, please? Is there any more information required > >> > beforehand? > > > >As long as the security boot people are fine with this, I think this > >should be fine. (And AFAIU this seems to be the case.) > > Yes, I'm happy for us to add this. Please go ahead. > > >Maybe we should use a non-trusted cert for the initial setup and only > >switch to a proper cert once everything is confirmed to be working as > >expected? > > Hmmm, maybe? Luca?
What do you mean precisely here? A DSA-managed cert used by FTP to sign but that doesn't chain to the Debian CA? Or to do something completely local to the systemd-boot package? I am fine with any approach that lets us move forward, if that needs to be some intermediate testing stage that's fine by me.
