Public key infrastructure
Tomas Mraz
tmraz at redhat.com
Fri Jul 21 13:13:05 UTC 2006
On Fri, 2006-07-21 at 14:24 +0200, Joachim Selke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tomas Mraz wrote:
> > I have a comment only about the cacerts situation. If I worked as admin
> > I'd never use all the ca certs shipped in the current CA bundle as
> > trusted for all apps. For web clients maybe, but for verification of
> > LDAP server certificate? Never. Most probably even an internal CA would
> > be used so I'd have to add its certificate anyway. So perhaps there
> > should be individual cacerts directories for individual apps.
>
> Good point. I think we could do the following.
>
> (1) /etc/pki/cacerts is created empty by default (by package filesystem)
>
> (2) This directory is filled with default CA certs by (new) packages
> cacerts-mozilla and cacerts-redhat. (There of course might be many other
> cacert-* packages available).
>
> (3) Every application using digital certificates (and capable of
> checking certs against a list of trusted CA certs) creates the
> directories /etc/pki/$appname/private, /etc/pki/$appname/public and
> /etc/pki/$appname/cacerts for storing certs. The last one by default is
> a symlink pointing to /etc/pki/cacerts.
AFAIK directory as symlink in a package creates problems on package
upgrades so it would be best to leave them simply as empty directories.
The rest of your proposal is fine I think.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the devel
mailing list