Darren J Moffat wrote:
> Garrett D'Amore wrote:
>> Putting all the certs in one mondo file gives me a few minor
>> concerns, which might be insignificant, but I want to ask them anyway:
>>
>> 1) Do end users have any control over which CAs they do or do not
>> trust? (What if they want all of the CAs except one?)
>
> The end user using the command/tool can point to a separate CA file.
>
> All of the tools I know about can take a single file not all of them
> appear to be able to take a directory of PEM files.
Ah, that explains this choice. Is there a way (relatively easy for
customers) to extract a single Cert from the PEM file? (Some tool? Or
is the file in some ASCII encoding such that it can just manually be
extracted with an editor?)
>
>> 2) How are CRL handled?
>
> If there is an issue with needing to expire any of these root CAs then
> the way to deal with that is to redeliver the cacert file not to use a
> CRL. CRLs are for a specific CA and it is their responsibility to
> manage those - note that some of them are huge, OCSP is the
> recommended way of checking certificate revocation.
So the tools are responsible for making this check themselves, using
OCSP, right? That makes sense -- end users don't have to take any
specific action to get the CRL checking.
>
>> 3) How will updates to the cacert file be handled?
>
> By delivering a new version of the SUNWcacert package containing a new
> cacert.pem file. The method used to get the new version of the
> cacert.pem file is an implementation detail but it will be done using
> the extraction method from the Mozilla NSS files.
>
Okay, thanks for the clarifications. With that, +1
- Garrett
