= Proposed Self Contained Change: Shared Certificate Tools =
https://fedoraproject.org/wiki/Changes/SharedCertificateTools
Change owner(s): Stef Walter <stefw(a)redhat.com>
Fedora now has infrastructure for sharing system trusted certificates between
the various crypto libraries.
Tools are being worked on for adding/removing these shared trusted
certificates, as well as blacklisted certificates. This is being worked on
upstream in the p11-kit project.
This change integrates that upstream work into Fedora.
== Detailed description ==
A tool will be added to the p11-kit-trust package which can be used to perform
the following actions:
* Add a trust anchor
* Disable a trust anchor
* Remove an added trust anchor
* Blacklist a certificate or key
* Remove an blacklisted certificate or key
Because not all crypto implementations read their trusted information directly
from the dynamic database, the tool will take care of extracting things as
appropriate after making a change. This will enable administrators to run a
single command to add an anchor (and perform other tasks).
== Scope ==
p11-kit has had work done to have the trust module store changes. The initial
tool has been written upstream. Remainder of the tool needs completion.
The ca-certificates package will need some minor tweaks to make sure the new
tools integrate correctly with it.
Although this feature can potentially affect a large number of packages, the
implementation is well bounded. It is limited to a p11-kit (with one or two
lines changed in ca-certificates).
Proposal owners: stefw, see above
Other developers: kaie (for ca-certificates)
Release engineering: N/A (not a System Wide Change)
Policies and guidelines: N/A (not a System Wide Change)