where 'o where to store certificates and keys
John Dennis
jdennis at redhat.com
Tue Apr 19 22:27:37 UTC 2005
On Tue, 2005-04-19 at 14:53 -0700, Bob Relyea wrote:
> So the world is even *MORE* complicated that this.
Yes, we're aware of this complication :-)
> Only about half our packages use openssl to get their SSL
> implementations. The other half uses NSS.
> NSS store keys in in a keyX.db file and certs in certX.db. To make
> matters worst, like openSSL apps,
> NSS apps typically store their own copy of the database somewhere in the
> user's profile.
We're not talking about user keys and certs, rather system services
specific to the host which have public and private keys and
certificates, the obvious examples are network services providing SSL
connections, but other examples exist.
> I agree we need to solve this problem, but I think we need to take a
> step back and understand how
> each application uses it's keys and certs. Just saying the keys and
> certs live in a particular directory
> is not sufficient.
>
> I wish I had seen this discussion earlier. It appears to have completely
> punted on applications that use NSS.
I'll confess I'm not that familar with NSS, but if NSS wants to store
things in a .db file, and even if multiple .db files need to live in the
same directory I don't see why /etc/keys or one of its subdirs wouldn't
meet that requirement (.db files are just simple files, right?)
But once again, just to be clear, users are NOT going to be writing
their keys/certificates in /etc/keys. If a service wants to maintain a
database of per user keys/certificates in /etc/keys I don't see a
problem with that because its the service (running with proper
permissions) who is managing that data, not the user.
--
John Dennis <jdennis at redhat.com>
More information about the Fedora-maintainers
mailing list