I'm restarting this case, given the previous review and the fact that
this just addresses the issues it brought up I'm marking it closed
approved now. If anyone things it needs further review I'll start a timer.
The new technical part spec is as follows (and is in the case directory
as spec.txt)
Proposal
--------
This case is about the architecture of where and in what format
CA certifcates are delivered. The specific list of certs to deliver is
a "business" issue for any given distribution.
The project team intends to initially deliver the same set of CA
certificates that is used in the Mozilla NSS libraries.
The project team reserves the right to revise the exact list of
certificates and/or choose an entirely different source of certifcates
at anytime without requiring further ARC review.
A separate X.509 certificate in PEM format for each CA will be placed
in /etc/certs/CA/. The files will be named by taking the X.509 DN and
replacing the spaces and other unprintables with an '_'. A symlink
named using the 'openssl x509 hash' command to each of those PEM files
is also created for those consumers that do fast lookups using a hash
of the cert DN.
The package name is pkg:/system/ca-certs
Exported Interfaces
+---------------------------------------------------------+
| pkg:/system/ca-certs | Volatile |
| /etc/certs/CA/ [1] | Committed |
| format CA files (PEM) | Committed |
| Exact list of CA files | Volatile |
+---------------------------------------------------------+
[1] Note that the /etc/certs directory already exists and is a delivered
component of Solaris (via pkg:/SUNWcs).
--
Darren J Moffat
_______________________________________________
opensolaris-arc mailing list
[email protected]
