A question arose about a good choice of the default directory for trusted CA certificates over these proposed rpm PRs: https://src.fedoraproject.org/rpms/strongswan/pull-request/6 https://src.fedoraproject.org/rpms/strongswan/pull-request/7 An IKEv2 client from strongSwan package, charon-nm, needs to be configured with a directory name to load trusted X.509 CAs from. The CA certificates are used to authenticate VPN servers. There are following considerations for the directory choice: 1. It should be in /etc so that it can be configured on ostree machines. 2. There is a concern with using a subdirectory of /etc/pki/ca-trust/extracted : charon-nm has no regard for key usage flags, and there are indeed no standardized flags to authorize specifically the VPN usage. Trusting by default any CA that is used to validate TLS websites may be considered too permissive; small VPN operators typically use self-signed or private CA certificates. 3. It would be useful to have a shared CA certificate directory configured out of the box for various VPN clients, similarly to how /etc/pki/tls/certs can be shared by any applications using TLS. I came up with /etc/pki/vpn, that is not currently populated in Fedora. Would there be a more appropriate choice, governed by PKI policies that I'm not aware of? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/TEVX52TCGVXHIRTBJF6RLKA7G3CWQ23O/
