Re: Public key infrastructure

[Tomas Mraz <tmraz redhat com>]

On Fri, 2006-07-21 at 14:24 +0200, Joachim Selke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tomas Mraz wrote:
> > I have a comment only about the cacerts situation. If I worked as admin
> > I'd never use all the ca certs shipped in the current CA bundle as
> > trusted for all apps. For web clients maybe, but for verification of
> > LDAP server certificate? Never. Most probably even an internal CA would
> > be used so I'd have to add its certificate anyway. So perhaps there
> > should be individual cacerts directories for individual apps.
> 
> Good point. I think we could do the following.
> 
> (1) /etc/pki/cacerts is created empty by default (by package filesystem)
> 
> (2) This directory is filled with default CA certs by (new) packages
> cacerts-mozilla and cacerts-redhat. (There of course might be many other
> cacert-* packages available).
> 
> (3) Every application using digital certificates (and capable of
> checking certs against a list of trusted CA certs) creates the
> directories /etc/pki/$appname/private, /etc/pki/$appname/public and
> /etc/pki/$appname/cacerts for storing certs. The last one by default is
> a symlink pointing to /etc/pki/cacerts.

AFAIK directory as symlink in a package creates problems on package
upgrades so it would be best to leave them simply as empty directories.
The rest of your proposal is fine I think.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb