-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen John Smoogen wrote: > The problem is if you later want to make the sym-link into a > directory. That is the reason for the many directory symlinks... > someone forgets to make a directory and creates a symlink and poof you > can't later decide on having a directory. OK. Next try (number 3 has changed, 4 and 5 are new): (1) /etc/pki/cacerts is created empty by default (by the filesystem package) (2) This directory is filled with default CA certs by (new) packages cacerts-mozilla and cacerts-redhat. (There of course might be many other cacert-* packages available). (3) Every application using digital certificates (and capable of checking certs against a list of trusted CA certs) creates empty directories /etc/pki/$appname/private, /etc/pki/$appname/public and /etc/pki/$appname/cacerts for storing certs. (4) Every application as mentioned in (3) should use /etc/pki/$appname/private, /etc/pki/$appname/public and /etc/cacerts as default directories for storing certs and looking for CA certs. These configuration entries should be commented out by default. (5) No application should come with "default" or "example" certificates contained in its RPM, because certificates should be created by the admin for security reasons. To support this, applications may include a config file for openssl, that is stored in /etc/pki/$appname. Any comments on this? Joachim - -- B. Sc. Joachim Selke Universität Hannover, Institut für Theoretische Informatik Appelstraße 4, 30167 Hannover, Germany <http://www.thi.uni-hannover.de/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFExP4fq7fYj4TsIUwRAlFIAKCgmkiasZ4M5TKkrcyLItsoYdixOACePN9n QkEN1rcWbEv4YfJTudb8Xxw= =p2Cv -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
