On 01/24/2013 09:12 AM, Florian Weimer wrote: > On 01/23/2013 04:05 PM, Jaroslav Reznik wrote: > >> OpenSSL: p11-kit tool will extract trusted certificate PEM blocks >> from the >> PKCS#11 trust module. >> These extracted certificates will be placed in a location so >> that they >> can be consumed by OpenSSL by default. >> The aim is that neither OpenSSL nor OpenSSL applications will >> have to >> be changed for this to work. > > I think OpenSSL (and GNUTLS, SunSSE) changes are unavoidable if we want > to process the certdata.txt information in its entirety, including > explicitly distributed intermediate certificates. Well we'll write out the appropriate OpenSSL 'trusted certificate' data so that it can consume that information. As far as GnuTLS and Java, yes, initially these will only be interacting with the CA certificate data information (and not other information like blacklists, and so on). So yes, as noted in the 'Detailed Description' of the feature, long term we hope to follow this up with further work to make all the crypto libraries be able to process the information in its entirety. This is just the first step for Fedora 19, but should solve many real world problems even though there is still future work to be done. Cheers, Stef -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
