Public key infrastructure

Joachim Selke selke at thi.uni-hannover.de
Mon Jul 24 17:06:40 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen John Smoogen wrote:
> The problem is if you later want to make the sym-link into a
> directory. That is the reason for the many directory symlinks...
> someone forgets to make a directory and creates a symlink and poof you
> can't later decide on having a directory.

OK. Next try (number 3 has changed, 4 and 5 are new):

(1) /etc/pki/cacerts is created empty by default (by the filesystem package)

(2) This directory is filled with default CA certs by (new) packages
cacerts-mozilla and cacerts-redhat. (There of course might be many other
cacert-* packages available).

(3) Every application using digital certificates (and capable of
checking certs against a list of trusted CA certs) creates empty
directories /etc/pki/$appname/private, /etc/pki/$appname/public and
/etc/pki/$appname/cacerts for storing certs.

(4) Every application as mentioned in (3) should use
/etc/pki/$appname/private, /etc/pki/$appname/public and
/etc/cacerts as default directories for storing certs and looking for CA
certs. These configuration entries should be commented out by default.

(5) No application should come with "default" or "example" certificates
contained in its RPM, because certificates should be created by the
admin for security reasons. To support this, applications may include a
config file for openssl, that is stored in /etc/pki/$appname.

Any comments on this?

Joachim
- --
B. Sc. Joachim Selke
Universität Hannover, Institut für Theoretische Informatik
Appelstraße 4, 30167 Hannover, Germany
<http://www.thi.uni-hannover.de/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFExP4fq7fYj4TsIUwRAlFIAKCgmkiasZ4M5TKkrcyLItsoYdixOACePN9n
QkEN1rcWbEv4YfJTudb8Xxw=
=p2Cv
-----END PGP SIGNATURE-----




More information about the fedora-devel-list mailing list