On 04/09/2012 10:35 AM, Kurt Roeckx wrote: > On Mon, Apr 09, 2012 at 09:52:44AM -0400, Daniel Kahn Gillmor wrote: >> On 04/07/2012 12:46 PM, Kurt Roeckx wrote: >> >>> At least the certdata.txt file contains the information, you can >>> edit in iceweasel/firefox. >> >> edit at runtime or at compile time? system administrators ideally >> shouldn't have to recompile packages in order to add or drop system-wide >> default reliance on a given CA. > > iceweasel/firefox allows editing it at runtime, just like it > allows you to add more keys to it's store. I thnk it's stored in > cert8.db / cert_override.txt. But that's all per application / > user.
Right, so this is not system-wide defaults, so it doesn't satisfy the
need described above.
>> Can you propose a mechanism such that this info would not get lost?
>
> X509 has a way to embed the trust in the certificate itself, see
> "TRUST SETTINGS" in openssl's x509 manpage.
This looks like it only works with PEM output, and it appends chunks of
(base64-encoded) ASN.1 data after the initial base64-encoded ASN.1 blob
of the certificate. The header and footer of the PEM output changes
from -----BEGIN CERTIFICATE----- to -----BEGIN TRUSTED CERTIFICATE-----
which makes it so the certificate apparently can't be read by NSS's
certutil. A cursory search doesn't turn up any sort of spec for
-----BEGIN TRUSTED CERTIFICATE----- ; do you know if that's documented
somewhere?
--dkg
signature.asc
Description: OpenPGP digital signature
