On 04/09/2012 10:35 AM, Kurt Roeckx wrote: > On Mon, Apr 09, 2012 at 09:52:44AM -0400, Daniel Kahn Gillmor wrote: >> On 04/07/2012 12:46 PM, Kurt Roeckx wrote: >> >>> At least the certdata.txt file contains the information, you can >>> edit in iceweasel/firefox. >> >> edit at runtime or at compile time? system administrators ideally >> shouldn't have to recompile packages in order to add or drop system-wide >> default reliance on a given CA. > > iceweasel/firefox allows editing it at runtime, just like it > allows you to add more keys to it's store. I thnk it's stored in > cert8.db / cert_override.txt. But that's all per application / > user. Right, so this is not system-wide defaults, so it doesn't satisfy the need described above. >> Can you propose a mechanism such that this info would not get lost? > > X509 has a way to embed the trust in the certificate itself, see > "TRUST SETTINGS" in openssl's x509 manpage. This looks like it only works with PEM output, and it appends chunks of (base64-encoded) ASN.1 data after the initial base64-encoded ASN.1 blob of the certificate. The header and footer of the PEM output changes from -----BEGIN CERTIFICATE----- to -----BEGIN TRUSTED CERTIFICATE----- which makes it so the certificate apparently can't be read by NSS's certutil. A cursory search doesn't turn up any sort of spec for -----BEGIN TRUSTED CERTIFICATE----- ; do you know if that's documented somewhere? --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature