Projects/PKI
From Mandriva
Ideas to implement/handle PKI in Mandriva Linux
Contents[hide] |
Preface
A discussion regarding a standardized location for ssl keys was recently brought to my attention by StewBenedict. You can find the proposal at the freestandards-fhs-discuss mailinglist archive here: http://sourceforge.net/mailarchive/forum.php?thread_id=7098065&forum_id=3128
In Mandriva we already have the /etc/ssl/%{name} structure, but it is not used by all software. The idea is to use instead the /etc/pki/%{name} structure.
A discussion arose in the #mandriva-cooker IRC channel (BuchanMilne, GuillaumeRousse, and ?) to get rid of those Snake Oil certificates. Maybe make a Drak* UI to choose a CA both at install time and later to use valid certificates. There appear to exist free CA's on the net such as cacert.org, why not use them?
Software
- http://www.openca.org/ OpenCA
- http://www.openssl.org/ OpenSSL
- http://idx-pki.idealx.org/index.fr.html idealx's PKI platform (probably overkill)
- put links here
RCF's
- put links here
Certification Authorities
- http://www.cacert.org/ (free)
- http://www.thawte.com/
- http://www.verisign.com/
- put links here
Root CA Database
Investigate the possibility to have a common database for rootcerts. Mozilla and KDE use their own way of dealing with that. The Mozilla rootcert database is hardcoded into the /usr/lib/libnssckbi.so library, removing all CA's from there makes mozilla prompt you everytime. Currently no CLI tools needed for dealing with this are built from the mozilla-firefox package, but you can install "nss" from contrib (has to match mozilla nss lib version, fixed). I made a new package in contrib called "rootcerts" that uses the mozilla CA octal database from CVS to generate a "ca-bundle", I also added the ICP-Brasil CA in there. The idea is to make the rootcerts package the common root CA database that can easily be updated and/or customized by for example companies or countries that run their own CA.
