Re: System CA certificate trust store management meeting
On Tue, 2016-02-16 at 11:08 +0100, Tomas Mraz wrote: > > unfortunately probably due to no mention of the public meetings in the > official DevConf schedule - they were mentioned only on a separate page > in the DevConf brochure - there was only a single non-redhatter that > appeared at the meeting. > > We had some informal discussion with him and the redhatters that were > present. The conclusion was that our team should probably focus more on > the crypto libraries support for the stapled extensions and using the > trust store directly via the p11-kit-trust PKCS#11 module and not > through the extracted certificate lists - namely OpenSSL lacks this > support and probably should be the first priority to fix before any > development of high-level trust management application/API should > start. I concur. We desperately need to fix the lack of PKCS#11 support in OpenSSL. I'd love to see a suitably-licensed (re)implementation of libp11 added directly to crypto/pkcs11 and properly integrated. Not strictly *system CA* certificate... but we also need to fix NSS to be compliant with the Fedora guidelines about using the correct tokens as configured by p11-kit, and allowing applications to specify objects by their PKCS#11 URI. Was that discussed? There was... bizarreness... last time I raised it on the Mozilla dev-tech-crypto list. -- David WoodhouseOpen Source Technology Centre david.woodho...@intel.com Intel Corporation smime.p7s Description: S/MIME cryptographic signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: System CA certificate trust store management meeting
On Po, 2016-02-15 at 13:05 +, David Woodhouse wrote: > On Tue, 2016-02-02 at 17:13 +0100, Tomas Mraz wrote: > > Hello, > > for anyone interested in the subject and visiting DevConf in Brno > > on > > this Friday - we will be holding an informal meeting to gather use- > > cases > > for needed improvements in this area. We are interested in feedback > > from > > Fedora/RHEL system administrators and developers. > > > > The meeting will happen on Friday Feb 5th 2016 13:10-14:30 at the > > DevConf venue in the room C228. > > > > See also: > > https://communityblog.fedoraproject.org/system-ca-certificate-trust > > -management-review-planning-meeting-devconf/ > > > > Regards, > > > > Tomas Mraz, Security Technologies Team member at Red Hat > > Hi Tomas, > > Was there a conclusion for this? Hello, unfortunately probably due to no mention of the public meetings in the official DevConf schedule - they were mentioned only on a separate page in the DevConf brochure - there was only a single non-redhatter that appeared at the meeting. We had some informal discussion with him and the redhatters that were present. The conclusion was that our team should probably focus more on the crypto libraries support for the stapled extensions and using the trust store directly via the p11-kit-trust PKCS#11 module and not through the extracted certificate lists - namely OpenSSL lacks this support and probably should be the first priority to fix before any development of high-level trust management application/API should start. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: System CA certificate trust store management meeting
On Tue, 2016-02-02 at 17:13 +0100, Tomas Mraz wrote: > Hello, > for anyone interested in the subject and visiting DevConf in Brno on > this Friday - we will be holding an informal meeting to gather use-cases > for needed improvements in this area. We are interested in feedback from > Fedora/RHEL system administrators and developers. > > The meeting will happen on Friday Feb 5th 2016 13:10-14:30 at the > DevConf venue in the room C228. > > See also: > https://communityblog.fedoraproject.org/system-ca-certificate-trust-management-review-planning-meeting-devconf/ > > Regards, > > Tomas Mraz, Security Technologies Team member at Red Hat Hi Tomas, Was there a conclusion for this? -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org