Public key infrastructure

[Joachim Selke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tomas Mraz wrote:
> I have a comment only about the cacerts situation. If I worked as admin
> I'd never use all the ca certs shipped in the current CA bundle as
> trusted for all apps. For web clients maybe, but for verification of
> LDAP server certificate? Never. Most probably even an internal CA would
> be used so I'd have to add its certificate anyway. So perhaps there
> should be individual cacerts directories for individual apps.

Good point. I think we could do the following.

(1) /etc/pki/cacerts is created empty by default (by package filesystem)

(2) This directory is filled with default CA certs by (new) packages
cacerts-mozilla and cacerts-redhat. (There of course might be many other
cacert-* packages available).

(3) Every application using digital certificates (and capable of
checking certs against a list of trusted CA certs) creates the
directories /etc/pki/$appname/private, /etc/pki/$appname/public and
/etc/pki/$appname/cacerts for storing certs. The last one by default is
a symlink pointing to /etc/pki/cacerts.


This in my opinion has some advantages:

(A) Admins can chose which CAs to trust by installing the best fitting
cacert-* package. Additionally they can simply add own CA certificates
into one directory that from then on all applications trust by default.

(B) If needed for some application the list of trusted CAs can be
modified individually.


Do you agree?


Joachim
- --
B. Sc. Joachim Selke
Universität Hannover, Institut für Theoretische Informatik
Appelstraße 4, 30167 Hannover, Germany
<http://www.thi.uni-hannover.de/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFEwMeYq7fYj4TsIUwRArcTAJ9o+XlBalAulDX7XEJobAtO4/HUTwCdEoa+
WmrwxvGUfP/Spt7WUA2HzaY=
=W1NU
-----END PGP SIGNATURE-----