On Fri, 2006-07-21 at 11:16 +0200, Joachim Selke wrote: > (2) In order to check what certificates of communication partners can be > trusted many applications can be given a list of CA certs that are > trusted. Openldap, for example, uses configuration entries > "TLSCACertificateFile" and "TLSCACertificatePath". The first entry > refers to a file like ca-bundle.crt of the openssl package that contains > a list of CA certs. The second entries refers to a directory that > contains cert files. > > My suggestion: Remove the default collection of trusted certs from the > openssl package and create a new package for those certs. These certs > then should be stored in /etc/pki/cacerts (one file per cert). > Applications should use this by default as CA directory (openldap: > "TLSCACertificatePath"). The file ca-bundle.crt is not needed anymore > but should be there (in /etc/pki) for compatibility issues. In addition > there should be a script that automatically creates this file from the > contents of /etc/pki/cacerts. With cacerts in an extra package is it > possible to use CA cert "modules". There could be other packages that > contain futher CA certs. Every admin then can decide what certs to > trust. This centralized directory /etc/pki/cacerts additionally makes it > possible to add own CA certs without getting into trouble. > > > What do you think about this? I have a comment only about the cacerts situation. If I worked as admin I'd never use all the ca certs shipped in the current CA bundle as trusted for all apps. For web clients maybe, but for verification of LDAP server certificate? Never. Most probably even an internal CA would be used so I'd have to add its certificate anyway. So perhaps there should be individual cacerts directories for individual apps. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list