The current system CA certificate trust store management tool as implemented by p11-kit supports only limited number of use-cases. We are trying to gather information from various people administering and developing for Fedora and Red Hat Enterprise Linux on how it could be improved.
For this purpose we want to arrange an informal session during DevConf at Brno where we would discuss the current state of the implementation and gather input in the form of use-cases. These use-cases would be interesting to support with future development of p11-kit and additional tools.
Current System CA Use-Cases
Let’s summarize the currently supported use-cases:
- listing all trusted anchors with pkcs11: URIs and their labels
- listing all blacklisted certificates
- adding trusted anchor
- removing previously added trusted anchor
See the trust command documentation for details.
Missing System CA Use-Cases
We were able to identify these missing use-cases:
- listing the purpose for which the trusted anchors are trusted
- listing other attributes of the trusted anchors
- listing only changes from the trust store made by sysadmin (differences from the trust database as shipped in the ca-certificates package)
- modifying the purpose for which the trusted anchors are trusted
- blocking or masking the trusted or blacklisted certificates which are shipped in the ca-certificates package – For example the sysadmin might want to block all the certification authorities from some country that he does not regard as trustworthy.
We are interested in hearing what the high level sysadmin tasks would be eased by improvements in this area, which of the missing use-cases should be implemented first and whether there are any additional use-cases whose support is needed. We would also like to gather feedback on how the trust store management interface should look like. Whether for example the current command-line UI of the trust tool is sufficient.
Come visit at DevConf
The meeting will happen on Friday Feb 5th 2016 13:10-14:30 at the DevConf venue in the room C228.
Start the discussion by commenting on the auto-created topic at discussion.fedoraproject.org