Re: X.509 and CA certificates for other purposes (i.e. the IGTF)
On 24-05-13 19:18, Kurt Roeckx wrote:
> On Fri, May 24, 2013 at 12:32:29PM +0200, Dennis van Dok wrote:
>> The point I'd like to raise is that the current model of CA
>> certificates seems to take an all-or-nothing approach: either a CA is
>> trusted (for whatever purpose) or not. For the IGTF CAs, this may not
>> be the right approach.
>
> One of the things I would like to see is that trust settings are
> part of a systemwide store. This means that you can say you trust
> a CA for clients, servers, email, codesigning, ...
This sounds like the model used by libnss, e.g. on Fedora.
> Certificated in ca-certificates mostly come from mozilla, and they
> already have such trust settings. However they're lost when
> imported in ca-certificates, so applications ussing the
> certificates from ca-certificates can't check that.
(I would be interested to have an overview of what the trust settings
for Mozilla are; if there are any rejected uses in Mozilla, those should
certainly translate to ca-certificates as well. Of course there is also
X509v3 Key Usage.)
I'm not sure if these trust settings will suffice with respect to the
IGTF certificates. The point is that an IGTF CA is typically trusted for
servers in the science grid domain, but not for servers in other
application domains. (The same the other way around.) The current
practice is that these certificates are installed in
/etc/grid-security/certificates, but this is generally regarded as a kludge.
> Openssl can add such trust settings (see x509(1ssl), section
> TRUST SETTINGS). However it changes the format of the PEM
> file, and gcrypt can't read this.
Is this because it is an experimental feature of OpenSSL, or because of
a missing feature in gcrypt?
Dennis
Reply to: