On 02/08/2013 12:41 PM, Michael Scherer wrote:
For a certificate, that's slightly more subtle. A certificate alone in a package cannot do much. If there is no private key, then it cannot be used out of the box, except for client side validation ( afaik ). So all .pam certificates we can find would be used to validate another ssl certificates.
Embedding a certificate in a RPM is fine because we can handle revocation/key rollover through an RPM update—especially if it's not a configuration file. We might eventually get a better mechanism, but until that happens, it's not so bad.
(This assumes that we own the certificate in question. Obviously, it won't do to download the certificate from the Internet, bake it in, and hope that it won't change until it expires. That's just not going to work.)
-- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
