Proposed F19 Feature: Shared System Certificates
Stef Walter
stefw at redhat.com
Thu Jan 24 11:30:56 UTC 2013
On 01/24/2013 09:12 AM, Florian Weimer wrote:
> On 01/23/2013 04:05 PM, Jaroslav Reznik wrote:
>
>> OpenSSL: p11-kit tool will extract trusted certificate PEM blocks
>> from the
>> PKCS#11 trust module.
>> These extracted certificates will be placed in a location so
>> that they
>> can be consumed by OpenSSL by default.
>> The aim is that neither OpenSSL nor OpenSSL applications will
>> have to
>> be changed for this to work.
>
> I think OpenSSL (and GNUTLS, SunSSE) changes are unavoidable if we want
> to process the certdata.txt information in its entirety, including
> explicitly distributed intermediate certificates.
Well we'll write out the appropriate OpenSSL 'trusted certificate' data
so that it can consume that information.
As far as GnuTLS and Java, yes, initially these will only be interacting
with the CA certificate data information (and not other information like
blacklists, and so on).
So yes, as noted in the 'Detailed Description' of the feature, long term
we hope to follow this up with further work to make all the crypto
libraries be able to process the information in its entirety.
This is just the first step for Fedora 19, but should solve many real
world problems even though there is still future work to be done.
Cheers,
Stef
More information about the devel
mailing list