From Fedora Project Wiki
(Initial page)
 
(Add tracker bug)
 
(6 intermediate revisions by 2 users not shown)
Line 3: Line 3:
== Summary ==
== Summary ==


In Fedora 19 we added the infrastructure for sharing system trusted certificates between the various crypto libraries and implementations. This takes the next step of adding tools to add/remove anchors and modify the blacklist.
Fedora now has infrastructure for sharing system trusted certificates between the various crypto libraries.
 
Tools are being worked on for adding/removing these shared trusted certificates, as well as blacklisted certificates. This is being worked on upstream in the p11-kit project.
 
This change integrates that upstream work into Fedora.


== Owner ==
== Owner ==
Line 9: Line 13:
* Name: [[User:stefw| Stef Walter]]
* Name: [[User:stefw| Stef Walter]]
* Email: stefw@redhat.com
* Email: stefw@redhat.com
* Name: [[User:kaie| Kai Engert]]
* Email: kengert@redhat.com
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
Line 27: Line 29:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998546 #998546]


== Detailed Description ==
== Detailed Description ==


A tool will be added to the p11-kit-trust package which can be used to add/remove modify a system certificate to be trusted as an anchor. In addition the tool will be
A tool will be added to the p11-kit-trust package which can be used to perform the following actions:
 
* Add a trust anchor
* Disable a trust anchor
* Remove an added trust anchor
* Blacklist a certificate or key
* Remove an blacklisted certificate or key


Because not all crypto implementations read their trusted information directly from the dynamic database, the tool will take care of extracting things as appropriate after making a change. This will enable administrators to run a single command to add an anchor (and perform other tasks).
Because not all crypto implementations read their trusted information directly from the dynamic database, the tool will take care of extracting things as appropriate after making a change. This will enable administrators to run a single command to add an anchor (and perform other tasks).
Line 47: Line 55:
Although this feature can potentially affect a large number of packages, the implementation is well bounded. It is limited to a p11-kit (with one or two lines changed in ca-certificates).  
Although this feature can potentially affect a large number of packages, the implementation is well bounded. It is limited to a p11-kit (with one or two lines changed in ca-certificates).  


* Proposal owners: stefw, kaie
* Proposal owners: stefw
* Other developers: N/A (not a System Wide Change)
* Other developers: kaie (for ca-certificates)
* Release engineering: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
Line 92: Line 100:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF20]]


<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->

Latest revision as of 13:53, 19 August 2013

Shared Certificate Tools

Summary

Fedora now has infrastructure for sharing system trusted certificates between the various crypto libraries.

Tools are being worked on for adding/removing these shared trusted certificates, as well as blacklisted certificates. This is being worked on upstream in the p11-kit project.

This change integrates that upstream work into Fedora.

Owner

  • Name: Stef Walter
  • Email: stefw@redhat.com
  • Release notes owner:

Current status

Detailed Description

A tool will be added to the p11-kit-trust package which can be used to perform the following actions:

  • Add a trust anchor
  • Disable a trust anchor
  • Remove an added trust anchor
  • Blacklist a certificate or key
  • Remove an blacklisted certificate or key

Because not all crypto implementations read their trusted information directly from the dynamic database, the tool will take care of extracting things as appropriate after making a change. This will enable administrators to run a single command to add an anchor (and perform other tasks).

Benefit to Fedora

This is the next incremental step in the Shared System Certificate work. Fedora will become easier to manage for administrators or system builders.

Scope

p11-kit has had work done to have the trust module store changes. The initial tool has been written upstream. Remainder of the tool needs completion.

The ca-certificates package will need some minor tweaks to make sure the new tools integrate correctly with it.

Although this feature can potentially affect a large number of packages, the implementation is well bounded. It is limited to a p11-kit (with one or two lines changed in ca-certificates).

  • Proposal owners: stefw
  • Other developers: kaie (for ca-certificates)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

It is our aim that no upgrade will be needed. We explicitly did not publish the relevant data formats in previous versions in Fedora 19. There should be no need to migrate data, as there has been no data stored by the trust module yet.

ca-certificates package will have some minor tweaks in concert with p11-kit.

How To Test

  • A test day will be prepared for this change.
  • Further information for testing will appear here, with relevant commands to run.

User Experience

  • The administrator's user experience will change. In Fedora 19 they had to place a file in a certain special directory, and then run 'update-ca-trust'. In Fedora 20 they will run a simple command which performs all relevant actions.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • We will not change the Fedora 19 behavior. This new functionality is built on top of it.
  • A revert to Fedora 19 is possible as a contingency.
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)

Documentation

There will be manual pages and documentation. In addition at this point a blog post will be written to explain the system.

Release Notes

  • Release notes will be provided.