Using system SSL certificates...

Bernhard Reiter bernhard at intevation.de
Fri Feb 12 14:20:20 GMT 2010


Am Freitag, 29. Januar 2010 22:51:32 schrieb Benjamin Long:
> I wish Firefox used the system certs as well, as
> the only way to add a private CA there is to create an addon that installs
> it. At least Firefox is just web browsing and not mail and other servers.
> Administering it all would be much more of a PITA if KDE couldn't be set up
> to use the system certs.
> This is on Debian/Ubuntu, btw.

I agree that KDE should use the system-certs by default - on all systems.

On platform where the user (or KDE) could not interface with the certificate 
system in order to add some preferences or certs, I agree that it would be 
okay to override the system so some extend. At least it should be possible to 
disable this by the admin.

A well maintained system needs a well maintained root cert bundle.
Free Software is already at the disadvantage regarding managing x509 
certificates. In addition: in order to make a large part of the security in 
the system working, you would need to make checks of certificate revocation 
status mandatory.

> Please, whatever you do make sure that I can add CA's to the system from a
> script. :P

I agree that this is an important requirement.

Two more thoughts on this: Werner Koch - my friend from g10code - brought up 
the idea that some security would be working better if each leave certificate 
would be remembered and warned if changed, instead of making the whole chain 
evaluation work. I tend to like the idea, but implementation of course has to 
be good to actually be useful. With that approach there would be no need for 
a root cert bundle (which usually contains some bad root certs and way too 
many to attack).

The GnuPG2 stack comes with an x509 certificate handling backend, including 
revocation handling. The main application is called dirmngr. In the mid term 
it would be cool to make use of that at last optionally, but this sounds like 
a major effort to do. Kleopatra is an upcoming frontend application for 
certificates (both OpenPGP and x509). Note that secret keys on smartcards are 
supported, which could also be interesting for client authentification.

Bernhard
ps.: Please copy me on relevant replies. I am subscribed to kde-core-devel, 
but this is too much to follow for me sometimes.

-- 
Managing Director - Owner: www.intevation.net       (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2620 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20100212/5fb6d2fd/attachment.bin>


More information about the kde-core-devel mailing list