[Info-vax] Some of what I'm reading...
Arne Vajhøj
arne at vajhoej.dk
Mon May 21 06:58:15 EDT 2018
On 5/20/2018 11:57 PM, John E. Malmberg wrote:
> On 5/20/2018 7:36 PM, Arne Vajhøj wrote:
>> On 5/20/2018 8:19 PM, Stephen Hoffman wrote:
>>> OpenVMS has no concept of protecting keys and private certificates.
>>> It's all tossed over to the user to deal with. Or to not deal with,
>>> as the case may be. Apache has its own certificate store, and so
>>> does the upstream-deprecated-a-decade-ago CDMA, so does ssh, and so
>>> too does OpenVMS, as do some apps. DECnet has its own password
>>> storage, as do various apps. Etc. Everybody has implemented their
>>> own schemes. Some are better than others.
>>
>> PKCS#12 is a standard (RFC7292).
>>
>> And I believe that both OpenSSL and Java can use PKCS#12 stores.
>
> But as Hoff pointed out:
>
> 1. No set of OS vendor supplied CA certificates for general use by all
> applications.
>
> 2. No location for user supplied CA certificates for use by all
> applications.
>
> With Linux distros, there is a vendor supplied certificate package, and
> that package contains a script that does:
>
> a: Merges the vendor and user defined certificate into a single
> directory that OpenSSL and other applications can just reference.
>
> b: Looks for additional scripts that are optionally supplied by
> applications that need other formats than the above, for example a Java
> keystore, and then updates that keystore.
>
> Private keys are generally restricted to an a specific application so
> while there are some conventions, many application keep them in their
> data directories, but suitably protected.
That is true.
I think vendor supplied CA certificates is mostly a browser thing.
But a central/default location and some tools could definitely
be useful.
Arne
More information about the Info-vax
mailing list