igtf-policy-experimental 1.88-1 / usr / share / doc / igtf-policy-experimental / README.Debian

This file is indexed.

/usr/share/doc/igtf-policy-experimental/README.Debian is in igtf-policy-experimental 1.88-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
igtf-policy-bundle for Debian
-----------------------------

The IGTF trust anchors are by default installed in
/etc/grid-security/certificates; this location is the common standard
for many pieces of grid middleware. However, in Debian this location
would make these files into conffiles which have a different status
than normal files, and therefore they are installed under
/usr/share/igtf-policy instead and symlinked to
/etc/grid-security/certificates on configuration.

 Profiles
 ========

Each CA certificate falls in on of three 'profiles' to distinguish
different policies under which these CAs operate. For more information
see http://www.eugridpma.org/guidelines/.

 - Classic
 - MICS (Member Integrated Certificate Service)
 - SLCS (Short Lived Credential Service)
 - IOTA (identifier-only trust anchors)

The packages are split according to these profiles, so it is very easy
to install just the classic profile.

 Use as grid trust anchors
 =========================

By default, all of the certificates in the profile are installed in
/etc/grid-security/certificates, but it is possible to reconfigure this
with

    dpkg-reconfigure igf-policy-classic

or setting values in a debconf selection file. The configuration offers
two choices:

  1. Install all certificates save explicit exceptions
  2. Install only selected certificates

 The use of fetch-crl
 ====================

The use of fetch-crl is highly recommended. This tool will download
the certificate revocation lists for each CA and store it in PEM
format alongside the certificate files. However, the default
configuration on Debian for fetch-crl (currently v3.0.11) is to ignore
CAs which are only installed as symbolic links. Since the igtf-policy
packages strictly use symbolic links, this setting needs to be changed
in /etc/fetch-crl.conf: change 'nosymlinks' to 'symlinks'.

 Unaccredited and experimental CAs
 =================================

The packages igtf-policy-unaccredited contain only CAs that are not yet
or no longer accredited. Their use is not recommended, please be very careful
to review before trusting any CA in this set.

The package igtf-policy-experimental contain CAs that may have use in
a limited context, e.g. for testing purposes, but offer no guarantees
in terms of reliability. Do not install this package unless you know
what you are doing.

 -- Dennis van Dok <dennisvd@nikhef.nl>, Tue, 28 Nov 2017 17:17:21 +0100

APT Browse - Built by Thomas Orozco.