2015-07-31 3:15 GMT+03:00 Joel Rees <joel.r...@gmail.com>: > 2015/07/31 6:49 "Vadim Zhukov" <persg...@gmail.com>: >> >> [...] >> >> Well, I see four scenarios: >> >> 1. Using the defaults supplied with OpenBSD only. Typical for > home/personal use. >> >> 2. Use the defaults supplied with OpenBSD, and one or more additional >> CAs. Typical for corporate use. >> >> 3. Use personal set of CAs. Usually means either white-, or >> blacklisting entries from "base" certs pack. >> >> After more thinking I see that symlink idea is not good. But we can do >> some other thing: >> >> 1. Have "base" certs installed into /etc/examples/certs.pem. >> 2. Additional certs, if any, should go into /etc/ssl/local.pem. >> 3. Have sysmerge handle certs specially: comparing not (old) >> /etc/examples/cert.pem with /etc/ssl/cert.pem, but >> /etc/examples/cert.pem+/etc/ssl/local.pem vs. /etc/ssl/cert.pem. In >> case they do match, sysmerge would regenerate /etc/ssl/cert.pem by >> concatentaing (new) /etc/examples/cert.pem and /etc/ssl/local.pem. >> >> What do you think? > > I know my opinions don't count much here, but it seems to me that > mishandled certificates are such a huge cash cow that no one wants to do > them right. Until the cash cow dies, anything we try now is likely to be > wrong. > > With that caveat, try your ideas on your own system. You'll need to add > some scripts of your own to extend what sysmerge and other tools do. Post > to the list about how it works for you over the next year or so. > > That's my suggestion.
Discussed off-list. There was a misunderstanding that was (I hope) fixed. -- WBR, Vadim Zhukov