DevConf Fedora badge - System CA certificate trust management planning at DevConf 2016

System CA certificate trust management review and planning will happen at DevConf 2016 this year

The current system CA certificate trust store management tool as implemented by p11-kit supports only limited number of use-cases. We are trying to gather information from various people administering and developing for Fedora and Red Hat Enterprise Linux on how it could be improved.

For this purpose we want to arrange an informal session during DevConf at Brno where we would discuss the current state of the implementation and gather input in the form of use-cases. These use-cases would be interesting to support with future development of p11-kit and additional tools.

Current System CA Use-Cases

Let’s summarize the currently supported use-cases:

  • listing all trusted anchors with pkcs11: URIs and their labels
  • listing all blacklisted certificates
  • adding trusted anchor
  • removing previously added trusted anchor

See the trust command documentation for details.

Missing System CA Use-Cases

We were able to identify these missing use-cases:

  • listing the purpose for which the trusted anchors are trusted
  • listing other attributes of the trusted anchors
  • listing only changes from the trust store made by sysadmin (differences from the trust database as shipped in the ca-certificates package)
  • modifying the purpose for which the trusted anchors are trusted
  • blocking or masking the trusted or blacklisted certificates which are shipped in the ca-certificates package – For example the sysadmin might want to block all the certification authorities from some country that he does not regard as trustworthy.

We are interested in hearing what the high level sysadmin tasks would be eased by improvements in this area, which of the missing use-cases should be implemented first and whether there are any additional use-cases whose support is needed. We would also like to gather feedback on how the trust store management interface should look like. Whether for example the current command-line UI of the trust tool is sufficient.

Come visit at DevConf

The meeting will happen on Friday Feb 5th 2016 13:10-14:30 at the DevConf venue in the room C228.