-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tomas Mraz wrote: > I have a comment only about the cacerts situation. If I worked as admin > I'd never use all the ca certs shipped in the current CA bundle as > trusted for all apps. For web clients maybe, but for verification of > LDAP server certificate? Never. Most probably even an internal CA would > be used so I'd have to add its certificate anyway. So perhaps there > should be individual cacerts directories for individual apps. Good point. I think we could do the following. (1) /etc/pki/cacerts is created empty by default (by package filesystem) (2) This directory is filled with default CA certs by (new) packages cacerts-mozilla and cacerts-redhat. (There of course might be many other cacert-* packages available). (3) Every application using digital certificates (and capable of checking certs against a list of trusted CA certs) creates the directories /etc/pki/$appname/private, /etc/pki/$appname/public and /etc/pki/$appname/cacerts for storing certs. The last one by default is a symlink pointing to /etc/pki/cacerts. This in my opinion has some advantages: (A) Admins can chose which CAs to trust by installing the best fitting cacert-* package. Additionally they can simply add own CA certificates into one directory that from then on all applications trust by default. (B) If needed for some application the list of trusted CAs can be modified individually. Do you agree? Joachim - -- B. Sc. Joachim Selke Universität Hannover, Institut für Theoretische Informatik Appelstraße 4, 30167 Hannover, Germany <http://www.thi.uni-hannover.de/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFEwMeYq7fYj4TsIUwRArcTAJ9o+XlBalAulDX7XEJobAtO4/HUTwCdEoa+ WmrwxvGUfP/Spt7WUA2HzaY= =W1NU -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
