[Info-vax] Some of what I'm reading...
John E. Malmberg
wb8tyw at qsl.net_work
Mon May 21 08:45:29 EDT 2018
On 5/21/2018 5:58 AM, Arne Vajhøj wrote:
> On 5/20/2018 11:57 PM, John E. Malmberg wrote:
>> On 5/20/2018 7:36 PM, Arne Vajhøj wrote:
>>> On 5/20/2018 8:19 PM, Stephen Hoffman wrote:
>>>> OpenVMS has no concept of protecting keys and private certificates.
>>>> It's all tossed over to the user to deal with. Or to not deal with,
>>>> as the case may be. Apache has its own certificate store, and so
>>>> does the upstream-deprecated-a-decade-ago CDMA, so does ssh, and so
>>>> too does OpenVMS, as do some apps. DECnet has its own password
>>>> storage, as do various apps. Etc. Everybody has implemented their
>>>> own schemes. Some are better than others.
>>>
>>> PKCS#12 is a standard (RFC7292).
>>>
>>> And I believe that both OpenSSL and Java can use PKCS#12 stores.
>>
>> But as Hoff pointed out:
>>
>> 1. No set of OS vendor supplied CA certificates for general use by all
>> applications.
>>
>> 2. No location for user supplied CA certificates for use by all
>> applications.
>>
>> With Linux distros, there is a vendor supplied certificate package,
>> and that package contains a script that does:
>>
>> a: Merges the vendor and user defined certificate into a single
>> directory that OpenSSL and other applications can just reference.
>>
>> b: Looks for additional scripts that are optionally supplied by
>> applications that need other formats than the above, for example a
>> Java keystore, and then updates that keystore.
>>
>> Private keys are generally restricted to an a specific application so
>> while there are some conventions, many application keep them in their
>> data directories, but suitably protected.
>
> That is true.
>
> I think vendor supplied CA certificates is mostly a browser thing.
>
> But a central/default location and some tools could definitely
> be useful.
Not just browsers. It is used for Java, curl, wget, and any application
that uses OpenSSL directly or indirectly through libcurl, like git,
pypi, etc.
Regards,
-John
wb8tyw at qsl.net_work
More information about the Info-vax
mailing list