2015/07/31 6:49 "Vadim Zhukov" <persg...@gmail.com>: > > [...] > > Well, I see four scenarios: > > 1. Using the defaults supplied with OpenBSD only. Typical for home/personal use. > > 2. Use the defaults supplied with OpenBSD, and one or more additional > CAs. Typical for corporate use. > > 3. Use personal set of CAs. Usually means either white-, or > blacklisting entries from "base" certs pack. > > After more thinking I see that symlink idea is not good. But we can do > some other thing: > > 1. Have "base" certs installed into /etc/examples/certs.pem. > 2. Additional certs, if any, should go into /etc/ssl/local.pem. > 3. Have sysmerge handle certs specially: comparing not (old) > /etc/examples/cert.pem with /etc/ssl/cert.pem, but > /etc/examples/cert.pem+/etc/ssl/local.pem vs. /etc/ssl/cert.pem. In > case they do match, sysmerge would regenerate /etc/ssl/cert.pem by > concatentaing (new) /etc/examples/cert.pem and /etc/ssl/local.pem. > > What do you think?
I know my opinions don't count much here, but it seems to me that mishandled certificates are such a huge cash cow that no one wants to do them right. Until the cash cow dies, anything we try now is likely to be wrong. With that caveat, try your ideas on your own system. You'll need to add some scripts of your own to extend what sysmerge and other tools do. Post to the list about how it works for you over the next year or so. That's my suggestion. Joel Rees Computer memory is just fancy paper, CPUs just fancy pens. All is a stream of text flowing from the past into the future.
