Mark Martin wrote: >>> Instead the discussion should maybe stick to just the question of >>> what the default HTTPS setting should be, whether Darren's suggestion >>> of linking this case to shipping a working root CA file is >>> appropriate, and how to document how to load alternate certs. >> >> Lets assume there is a file that had the same set of CA certificates >> as is present in firefox and it was in a format suitable for libsoup. >> With that assumption is there any reason not to have HTTPS enabled >> with Webkit pointing to that file ? >> > Makes sense to me. > > My experience so far is that in cases like this, an opinion is issued > with advice language intended for project management/funding for another > project to deliver that necessary deliverable. Do we need to continue > to hold this project hostage or can we re-approve it with the directive > that the PMO needs to fund a project to deliver CA certs so that we can > switch the default from /dev/null to /home/of/certs?
Usually this would be a case dependency on this case so that it can't deliver until the case that delivers the CA certs bundle has delivered. > In the interest of moving along, I'd like to suggest something, thinking > aloud as it were. I'm going to work on the assumption that delivery of > CA certs involves only 3 non-trivial issues: a) where they go, and b) > how/where are they obtained, and c) how to deal with CRL. Assuming that > those issues could be solved by a quick discussion, then I believe the > community could solve this issue quite quickly by proposing a project > through the external project creation process, and delivering the > dozen+/- certificates. I wonder if the aforementioned advice section > could address an audience /other/ than the usual Sun funding sources -- > would that be a first for an ARC advice to explicitly acknowledge an > external community and source of projects? The project to do this is already in progress and I've just filed: PSARC/2009/430 Default system CA (X.509) Certificates So this case should be dependent on that one. In theory it doesn't need to depend on it to deliver since the absence of the CA file define in 2009/403 is equivalent to the default of /dev/null. So when 2009/403 does deliver this case automatically causes HTTPS to be enabled. Normally I wouldn't suggest this type of dependency but I think it is safe in this instance and it doesn't time this case to my delivery schedule for PSARC/2009/430. -- Darren J Moffat
