On 2015-07-30, Vadim Zhukov <[email protected]> wrote:
> Well, I see four scenarios:
>
> 1. Using the defaults supplied with OpenBSD only. Typical for home/personal
> use.
>
> 2. Use the defaults supplied with OpenBSD, and one or more additional
> CAs. Typical for corporate use.
>
> 3. Use personal set of CAs. Usually means either white-, or
> blacklisting entries from "base" certs pack.
> 1. Have "base" certs installed into /etc/examples/certs.pem.
> 2. Additional certs, if any, should go into /etc/ssl/local.pem.
> 3. Have sysmerge handle certs specially: comparing not (old)
> /etc/examples/cert.pem with /etc/ssl/cert.pem, but
> /etc/examples/cert.pem+/etc/ssl/local.pem vs. /etc/ssl/cert.pem. In
> case they do match, sysmerge would regenerate /etc/ssl/cert.pem by
> concatentaing (new) /etc/examples/cert.pem and /etc/ssl/local.pem.
>
> What do you think?
This doesn't handle the "blacklisting" case and I think will be difficult
to understand as it's very different to standard use of sysmerge.
If sysmerge was going to have special handling for certificates,
it could have a different merge handler than sdiff that treats it as
more than just a text file. ("add Honest Achmed?", "remove Xyz CA?") ...
I don't know if that's a good idea though.
Perhaps cert.pem should just move to examples/ with no default in /etc/ssl.
It would be an extra hoop for users to jump through but that would free up
/etc/ssl/cert.pem to either be managed manually (create the file or symlink
to examples) or via packages (probably install under an /etc prefix like
the firmware packages; @sample isn't strong enough for CA certs). The
latter would be useful for people who don't care and just want the
bundle from Mozilla, or for people who want tight control and distribute
their own local CA package.
