p11-kit trust module on Debian and OpenSUSE

[Stef Walter]

On 20.06.2013 08:39, Ludwig Nussel wrote:
> Stef Walter wrote:
>> On 12.06.2013 13:51, Ludwig Nussel wrote:
>>> What is the native way to blacklist stuff in p11-kit?
>>
>> p11-kit-trust module loads from directories specified in
>> --with-trust-paths during ./configure. For example, one might have;
>>
>> /usr/share/pki/trust (for files installed by rpms)
>> /etc/pki/trust (for files added by admins)
> 
> Talking about path names... It looks like there are several variants. I see
> that Fedora went ahead with using /etc/pki/ca-trust/source and
> /usr/share/pki/ca-trust-source. The p11-kit documentation refers to
> /usr/share/p11-kit/trust. So far we put the certificates in
> /usr/share/ca-certificates but there is no need to stick to that.
> What's wrong with /usr/share/pki/trust that Fedora didn't use it?

This is all primarily because Fedora had editable certificate bundles.
Yes the certificate bundles were installed by ca-certificates as config
files, meaning that admins could edit them.

The current system in Debian and OpenSUSE is saner, where admins are
explicitly pointed to putting their certificate edits in separate files,
and not editing the generated bundles directly.

So when the time came for Fedora to use the p11-kit-trust, there was an
additional layer of indirection needed.

Although to be honest, it's even a bit more complex than that. Kai, the
maintainer wanted to have the current setup.

What I'm currently working on is tools for adding/removing anchors and
blacklists via the p11-kit-trust module itself. I hope that this
resolves the issue of having different input directories on different
Distros.

In fact, that's why I've been waiting to do the OpenSUSE/Debian
implementation of this stuff. Because once we have a tool to write
things to the right place, it'll be simple to implement the migration
from ca-certificates.conf that you suggested.

Cheers,

Stef

-- 

stef at thewalter.net
http://stef.thewalter.net