On 12.07.2013 20:28, Toshio Kuratomi wrote:
On Wed, Jul 10, 2013 at 01:22:37PM +0200, Jaroslav Reznik wrote:
>
> Because not all crypto implementations read their trusted information directly
> from the dynamic database, the tool will take care of extracting things as
> appropriate after making a change. This will enable administrators to run a
> single command to add an anchor (and perform other tasks).
>
So it sounds like this is a modify and sync strategy? Are there other tools
in the distribution that may modify the primary or the sync'd certificates
that need to be changed so that they don't step on what p11-kit is doing?
If I'm understanding you correctly, then we already have such a
strategy. Admins modify files in /etc/pki/ca-trust and run
update-ca-trust (is that the sync you're talking about) which makes sure
all the legacy loaders of the certificates bundles get updated.
This proposal simply adds a tool so that admins don't have to diddle
files directly (although that is still supported).
Cheers,
Stef