- Package:
- ca-certificates
- Source:
- ca-certificates
- Submitter:
- Ian Jackson
- Date:
- 2021-01-20 14:00:03 UTC
- Severity:
- wishlist
- Tags:
Hi. I have what may seem a slightly strange request. Can you please have ca-certificates provide the Let's Encrypt CA cert - currently, the intermediate cert, and in due course their master root cert, in a specific location in the package ? I want this to help secure access to a Debian-provided service (the ftpmaster data API service https://api.ftp-master.debian.org/) when is accessed by dgit on a Debian sysem. intrigeri suggested (#932570) that a way to help do this would be to pin dgit's uses of TLS to the LE CA. To do this dgit needs to find a copy of the LE CA cert. It seems to us that the best way for this to be provided would be as part of ca-certificates. It's true that this involves treating LE rather specially. But LE is indeed special because it is the CA we use for Debian-provided services. What do you think ? Thanks, Ian.
If dgit wants to pin a service to a certain CA, it seems to me dgit is best placed to ship that pinned CA itself, rather than rely on ca-certificates, whose purpose is essentially to provide trust anchors for the web pki, not any particular service. (You'd probably want to check with the operators of the service that they're OK with pinning it to a particular CA, or set of CAs, for however long it'll live in that package.) Cheers, Julien