tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Remove Kamu SM from mozilla-rootcerts



maya%NetBSD.org@localhost writes:

> Hi,
>
> Mozilla doesn't globally trust Kamu SM, but limits it to Turkish
> domains. Consumers of mozilla-rootcerts can't be expected to implement
> this additional limitation, so remove it from the list of trusted certs.
>
> Additional changes to mozilla rootcerts:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes

Your proposed change seems right to me.  It's an unfortunate situation,
but presumably Kamu SM doesn't want to have nameConstraints in their
root CA cert.  It's also curious how they are somehow trustworthy for
Turkish domains but not otherwise, and that seems like it must be that
they really don't meet standards but that due to popularity are allowed
in that limited circumstance.

What is the situation with ANSSI?  It sounds like it is no longer in
mozilla-rootcerts, so not an issue.

It might be nice to drop into DESCR something like:

Certificates that mozilla treats as trustworthy only for certain
domains, as explained at
https://wiki.mozilla.org/CA/Additional_Trust_Changes, are omitted from
the package.


Home | Main Index | Thread Index | Old Index