Projects/PKI

From Mandriva

Jump to: navigation, search
Public Key Infrastructure (PKI)

Ideas to implement/handle PKI in Mandriva Linux

Contents

[hide]


[edit]

Preface

A discussion regarding a standardized location for ssl keys was recently brought to my attention by StewBenedict. You can find the proposal at the freestandards-fhs-discuss mailinglist archive here: http://sourceforge.net/mailarchive/forum.php?thread_id=7098065&forum_id=3128

In Mandriva we already have the /etc/ssl/%{name} structure, but it is not used by all software. The idea is to use instead the /etc/pki/%{name} structure.

A discussion arose in the #mandriva-cooker IRC channel (BuchanMilne, GuillaumeRousse, and ?) to get rid of those Snake Oil certificates. Maybe make a Drak* UI to choose a CA both at install time and later to use valid certificates. There appear to exist free CA's on the net such as cacert.org, why not use them?

[edit]

Software

[edit]

RCF's

  • put links here
[edit]

Certification Authorities

[edit]

Root CA Database

Investigate the possibility to have a common database for rootcerts. Mozilla and KDE use their own way of dealing with that. The Mozilla rootcert database is hardcoded into the /usr/lib/libnssckbi.so library, removing all CA's from there makes mozilla prompt you everytime. Currently no CLI tools needed for dealing with this are built from the mozilla-firefox package, but you can install "nss" from contrib (has to match mozilla nss lib version, fixed). I made a new package in contrib called "rootcerts" that uses the mozilla CA octal database from CVS to generate a "ca-bundle", I also added the ICP-Brasil CA in there. The idea is to make the rootcerts package the common root CA database that can easily be updated and/or customized by for example companies or countries that run their own CA.

Personal tools