On Fri, 2016-06-03 at 15:14 +0200, Tomas Mraz wrote: > > > Not in the terms of stapled extensions - as the extensions would > > > have > > > to be stapled onto some concrete certificates. You would have to > > > basically create stapled extensions for every CA in your trusted > > > list > > > except for the Red Hat internal CA. And if any additional CA is > > > added > > > to the trusted list, it would have to get this stapled extension > > > too. > > Well you could do that by stapling every other certificate than Red > > Hat's with corp.redhat.com being on the excluded subtrees. > Yes, that's what I wrote above however that would not be very > practical > as you would have to monitor the trusted list for additions and > staple > them too once they are added. Ah, correct. Indeed if ca-certificates is updated an adds new CAs these will not be stapled. I have no idea whether p11-kit has some way to say staple all certificates except that one. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
