At the moment we have an ad hoc approach to where we store ssl
certificates and other keys. The openssl package installs
into /usr/share/ssl and some packages store their keys
in /usr/share/ssl/certs/{public,private} because of the lack of anything
better and its the closest thing we have to a standard location. Other
packages (e.g. httpd) store their keys in their own directories.
There are three major reasons to create a new uniform location, and this
is a proposal to do so:
1) /usr/share is designed to be NFS mounted and shared. Private
certificates and keys really should not be located by default in a
directory visible to many machines on the network. /usr/share is an
insecure location.
2) SELinux labeling and policy authorship would be much easier and more
robust if we collected certificates and keys in one place and label
those files appropriately.
3) Certificates and keys are not a property of the openssl package,
there should be a package neutral location in the spirit of FHS to
locate all certificate and key files which can be shared by all
packages. Someplace in /etc seems ideal.
Proposal: the filesystem rpm creates the following 3 new directories
/etc/keys
/etc/keys/public
/etc/keys/private
Individual applications can make use of these directories in whatever
fashion they desire, as long as the files they install there are
certificates or keys of any form. They set their own permissions and
ownerships.
I know this has been debated before, be we've got to make a decision and
move forward (in part because this is now gating some work on my
plate :-). I've had a hallway conversation with Nalin and Dan Walsh and
it was agreed this was the most palatable option at the moment (not
ideal, but a workable solution).
ACK's or NCK's please!
--
John Dennis <jdennis@xxxxxxxxxx>
