johansen at sun.com wrote: > [Originally sent this to Darren, but forgot to CC PSARC-ext]
I didn't get that email. > Hi Darren, > > I got forwarded a pointer to this case that you filed. Thanks for > taking the time to do this. > >> http://sac.eng/Archives/CaseLog/arc/PSARC/2009/430/20090811_darren.moffat > > I would recommend using the certificate directory approach instead of > creating a single file with all certificates. This case doesn't preclude that. > The directory allows us to use a single PEM file per-certificate instead > of having a huge PEM blob. The single PEM file consumes more memory, > since the whole blob gets loaded into memory. If the directory is used, > individual keys are loaded into memory instead. It is only 198k > Delivering a single blob also has implications for package delivery. If > we use a directory, other packages can deliver certs to a common > location, if needed. The blob approach blocks multiple party certificate > delivery, and requires us to update the entire blob when one certificate > changes. It would be more elegant to add/remove the affected files from > a certficiate directory. This case doesn't preclude other packages adding additional certs to /etc/certs/ in fact other packages already do. This case is about delivering the well known browser SSL certs and as such I think it is entirely appropriate to do so in a single file. I believer other systems do it that way. > Since I had to solve this problem for pkg(5), I've already written code > that can extract the certs from mozilla's nss library, or their CVS > server, and then build a directory of certs with corresponding > hash-value named symlinks. Feel free to use this code instead of > writing more from scratch. One reason for using a single file is to avoid having to do the hash-value symlinks. This case is already closed and ready to be delivered, unless you think it is fundamentally broken I really don't want to re-open it. -- Darren J Moffat
