Joachim Selke wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Stephen John Smoogen wrote: >> The problem is if you later want to make the sym-link into a >> directory. That is the reason for the many directory symlinks... >> someone forgets to make a directory and creates a symlink and poof you >> can't later decide on having a directory. > > OK. Next try (number 3 has changed, 4 and 5 are new): > > (1) /etc/pki/cacerts is created empty by default (by the filesystem > package) > > (2) This directory is filled with default CA certs by (new) packages > cacerts-mozilla and cacerts-redhat. (There of course might be many other > cacert-* packages available). > > (3) Every application using digital certificates (and capable of > checking certs against a list of trusted CA certs) creates empty > directories /etc/pki/$appname/private, /etc/pki/$appname/public and > /etc/pki/$appname/cacerts for storing certs. > > (4) Every application as mentioned in (3) should use > /etc/pki/$appname/private, /etc/pki/$appname/public and > /etc/cacerts as default directories for storing certs and looking for CA > certs. These configuration entries should be commented out by default. > > (5) No application should come with "default" or "example" certificates > contained in its RPM, because certificates should be created by the > admin for security reasons. To support this, applications may include a > config file for openssl, that is stored in /etc/pki/$appname. > > Any comments on this? Starting to sound very good. Would you be willing to write this up on the wiki, somewhere under http://fedoraproject.org/wiki/PackagingDrafts maybe http://fedoraproject.org/wiki/PackagingDrafts/Pki (I'm sure there probably exists a better URL to use). -- Rex -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
