Re: Can security/ca_root_nss be retired?

In reply to: Andrea Venturoli : "Re: Can security/ca_root_nss be retired?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Tomoaki AOKI <junchoon_at_dec.sakura.ne.jp>
Date: Fri, 20 Jan 2023 09:47:11 UTC

On Fri, 20 Jan 2023 10:16:41 +0100
Andrea Venturoli <ml@netfence.it> wrote:

> On 1/20/23 09:16, Andrea Venturoli wrote:
> 
> > Base has single certs in /etc/ssl/certs, where I can add my own private 
> > CAs' ones.
> > 
> > Port provides a single bundled file in
> > /usr/local/etc/ssl/cert.pem.
> 
> And also  /usr/local/share/certs/ca-root-nss.crt, which is used in other 
> cases, overriding the others stores.
> 
> So, in the end, there should be agreement on *one* official source of 
> certs and that would be ideally used by everything. The port 
> could/should populate that, without disrupting local additions.
> 
>   bye
> 	av.

IMHO, we would need 3 places.
  *For base with lowest priority.
  *For ports which can override base certs.
   ALL PORTS SHOULD WRITE CERTS ONLY HERE.
  *For local admins only, with highest priority.
   Nothing else can override certs here.

-- 
Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>