Darren J Moffat wrote: > Garrett D'Amore wrote: >> Putting all the certs in one mondo file gives me a few minor >> concerns, which might be insignificant, but I want to ask them anyway: >> >> 1) Do end users have any control over which CAs they do or do not >> trust? (What if they want all of the CAs except one?) > > The end user using the command/tool can point to a separate CA file. > > All of the tools I know about can take a single file not all of them > appear to be able to take a directory of PEM files.
Ah, that explains this choice. Is there a way (relatively easy for customers) to extract a single Cert from the PEM file? (Some tool? Or is the file in some ASCII encoding such that it can just manually be extracted with an editor?) > >> 2) How are CRL handled? > > If there is an issue with needing to expire any of these root CAs then > the way to deal with that is to redeliver the cacert file not to use a > CRL. CRLs are for a specific CA and it is their responsibility to > manage those - note that some of them are huge, OCSP is the > recommended way of checking certificate revocation. So the tools are responsible for making this check themselves, using OCSP, right? That makes sense -- end users don't have to take any specific action to get the CRL checking. > >> 3) How will updates to the cacert file be handled? > > By delivering a new version of the SUNWcacert package containing a new > cacert.pem file. The method used to get the new version of the > cacert.pem file is an implementation detail but it will be done using > the extraction method from the Mozilla NSS files. > Okay, thanks for the clarifications. With that, +1 - Garrett