Proposed F19 Feature: Shared System Certificates

[Bill Nottingham]

Jaroslav Reznik (jreznik at redhat.com) said: 
>     OpenSSL: p11-kit tool will extract trusted certificate PEM blocks from the 
>         PKCS#11 trust module.
>         These extracted certificates will be placed in a location so that they 
>         can be consumed by OpenSSL by default.
>         The aim is that neither OpenSSL nor OpenSSL applications will have to 
>         be changed for this to work.

"the aim"...

>     GnuTLS: The p11-kit tool tool will extract a CA bundle to be used by GnuTLS 
>         from the PKCS#11 trust module.
>         This CA bundle would be placed in the location where most GnuTLS 
>         applications today are configured to use it.

"most"...

> Obviously applications can continue to use their own CA list as appropriate, 
> for example in servers such as httpd or postfix.

Essentially, how will we know whether apps work transparently with the
library changes, and/or if there are apps that are hardcoding old
locations/methods somewhere?

Bill