Proposed F19 Feature: Shared System Certificates
Petr Pisar
ppisar at redhat.com
Tue Jan 29 12:49:23 UTC 2013
On 2013-01-28, Florian Weimer <fweimer at redhat.com> wrote:
> On 01/28/2013 03:45 PM, Petr Pisar wrote:
>> On 2013-01-25, Florian Weimer <fweimer at redhat.com> wrote:
>>> On 01/24/2013 12:30 PM, Stef Walter wrote:
>>>
>>>> So yes, as noted in the 'Detailed Description' of the feature, long term
>>>> we hope to follow this up with further work to make all the crypto
>>>> libraries be able to process the information in its entirety.
>>>
>>> Okay. In the long term, it might make sense to offload the entire
>>> certificate chain validation to a daemon.
>>
>> Something like dirmngr?
>
> Good point, dirmngr comes pretty close. But if I recall correctly,
> dirmngr is mainly used to retrieve user certificates over LDAP, for use
> with S/MIME.
dirmngr's purpose is to answer question `Has this certificate been
revoked?'. It traverses whole authority chain, it support OCSP and CRL
over HTTP and LDAP with proper caching. (It does not support partial
CRLs, but that's a detail.) There is dirmngr-client tool to submit the
question. I'm not sure if it verifies the certificate itself.
The only problem is the upstream (Werner Koch & Co.) is a little bit
unresponsive.
-- Petr
More information about the devel
mailing list