Garrett D'Amore wrote: > Putting all the certs in one mondo file gives me a few minor concerns, > which might be insignificant, but I want to ask them anyway: > > 1) Do end users have any control over which CAs they do or do not > trust? (What if they want all of the CAs except one?)
The end user using the command/tool can point to a separate CA file. All of the tools I know about can take a single file not all of them appear to be able to take a directory of PEM files. > 2) How are CRL handled? If there is an issue with needing to expire any of these root CAs then the way to deal with that is to redeliver the cacert file not to use a CRL. CRLs are for a specific CA and it is their responsibility to manage those - note that some of them are huge, OCSP is the recommended way of checking certificate revocation. > 3) How will updates to the cacert file be handled? By delivering a new version of the SUNWcacert package containing a new cacert.pem file. The method used to get the new version of the cacert.pem file is an implementation detail but it will be done using the extraction method from the Mozilla NSS files. -- Darren J Moffat