[Test-Announce] Shared System Certificates - TEST DAY, Thursday 2013-03-28

Wed Mar 27 15:59:36 UTC 2013

Hi testers, developer, users, hackers, and friends!

We'd like to invite you to our Shared System Certificates Test Day [1]
on this Thursday, March 28 [2]. You can test this feature running from
Fedora 19 live images and help to make this release better.

Join IRC #fedora-test-day on FreeNode and ask QA or developers for help
if you have problems with any of the tests. Feel free to report a bug to
Bugzilla usually for the component ca-certificates, or p11-kit. If you
are unsure about exactly how to file the report or what other
information to include, just ask on IRC and we will help you.

1. https://fedoraproject.org/wiki/Features/SharedSystemCertificates
2.
https://fedoraproject.org/wiki/Test_Day:2013-03-28_Shared_System_Certificates

- Some facts about Shared System Certificates -

The intention of the project is to have a single point for CA
certificates and trust configuration on a Linux system, which can be
consumed by multiple cryptographic toolkits and applications, including,
but not limited to, Mozilla Firefox and NSS.

As part of the p11-kit open source project, Stef Walter developed a
software PKCS#11 module that can act as a compatible replacement for one
of the components of NSS, the nssckbi module.

While nssckbi contains a static set of CA certificates and trust
settings, the new p11-kit-trust module is dynamic. It interacts with a
shared system area to dynamically obtain the list root CA certificates
and their trust settings.

The new shared system area, that Linux distributions can use with
p11-kit-trust, will be preconfigured with the identical contents as
defined by the Mozilla root CA program and as contained in NSS. It can
also get updated whenever Mozilla updates the list.

However, it can be used to adjust a system's configuration, either to
extend, modify or restrict the default trust settings. Because
p11-kit-trust will dynamically merge the system specific configuration
with the default trust settings, updates to the Mozilla CA list continue
to be possible and will be active, unless overriden by system specific
rules.

In other words, this technology will effectively enable administrators
of Linux systems to adjust the root CA list used by Firefox, without
having to modify data stored in NSS databases nor in a user's Firefox
profile directory, and without having to use the Certificate Manager
provided by Firefox. Nevertheless, users of NSS applications such as
Firefox will still be able to override or adjust trust settings, which
will continue to be stored as user (or Firefox) specific settings.

Thanks and Regards!

-- 
Ales "alich" Marecek
Position: Base OS Security QE
E-mail:   amarecek at redhat.com
IRC:      #brno, #qa, #urt, #errata as "alich" or "amarecek"
Phone:    +420 532 294 175
Office:   Brno, Czech Republic

Key fingerprint: B54C 6100 5034 4702 AB77 0396 7560 1434 7860 57C9

_______________________________________________
test-announce mailing list
test-announce at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/test-announce