Public key infrastructure

[Rex Dieter]

Joachim Selke wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephen John Smoogen wrote:
>> The problem is if you later want to make the sym-link into a
>> directory. That is the reason for the many directory symlinks...
>> someone forgets to make a directory and creates a symlink and poof you
>> can't later decide on having a directory.
> 
> OK. Next try (number 3 has changed, 4 and 5 are new):
> 
> (1) /etc/pki/cacerts is created empty by default (by the filesystem
> package)
> 
> (2) This directory is filled with default CA certs by (new) packages
> cacerts-mozilla and cacerts-redhat. (There of course might be many other
> cacert-* packages available).
> 
> (3) Every application using digital certificates (and capable of
> checking certs against a list of trusted CA certs) creates empty
> directories /etc/pki/$appname/private, /etc/pki/$appname/public and
> /etc/pki/$appname/cacerts for storing certs.
> 
> (4) Every application as mentioned in (3) should use
> /etc/pki/$appname/private, /etc/pki/$appname/public and
> /etc/cacerts as default directories for storing certs and looking for CA
> certs. These configuration entries should be commented out by default.
> 
> (5) No application should come with "default" or "example" certificates
> contained in its RPM, because certificates should be created by the
> admin for security reasons. To support this, applications may include a
> config file for openssl, that is stored in /etc/pki/$appname.
> 
> Any comments on this?

Starting to sound very good.  Would you be willing to write this up on the
wiki, somewhere under
http://fedoraproject.org/wiki/PackagingDrafts
maybe 
http://fedoraproject.org/wiki/PackagingDrafts/Pki
(I'm sure there probably exists a better URL to use).

-- Rex