[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Public key infrastructure

Hash: SHA1

Stephen John Smoogen wrote:
> The problem is if you later want to make the sym-link into a
> directory. That is the reason for the many directory symlinks...
> someone forgets to make a directory and creates a symlink and poof you
> can't later decide on having a directory.

OK. Next try (number 3 has changed, 4 and 5 are new):

(1) /etc/pki/cacerts is created empty by default (by the filesystem package)

(2) This directory is filled with default CA certs by (new) packages
cacerts-mozilla and cacerts-redhat. (There of course might be many other
cacert-* packages available).

(3) Every application using digital certificates (and capable of
checking certs against a list of trusted CA certs) creates empty
directories /etc/pki/$appname/private, /etc/pki/$appname/public and
/etc/pki/$appname/cacerts for storing certs.

(4) Every application as mentioned in (3) should use
/etc/pki/$appname/private, /etc/pki/$appname/public and
/etc/cacerts as default directories for storing certs and looking for CA
certs. These configuration entries should be commented out by default.

(5) No application should come with "default" or "example" certificates
contained in its RPM, because certificates should be created by the
admin for security reasons. To support this, applications may include a
config file for openssl, that is stored in /etc/pki/$appname.

Any comments on this?

- --
B. Sc. Joachim Selke
Universität Hannover, Institut für Theoretische Informatik
Appelstraße 4, 30167 Hannover, Germany
Version: GnuPG v1.4.4 (GNU/Linux)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]