#665 SSLCertificateHandling policy update
Opened 7 years ago by nmav. Modified 5 years ago

I'd like to update the current SSLCertificateHandling packaging guidelines for clarity. The reason is that it covers two different fields, PKCS#11 requirements and Application requirements for certificates/keys. The audience is typically different. For that I'd like to propose to split it, into two different documents:
https://fedoraproject.org/wiki/PackagingDrafts/Pkcs11Support
https://fedoraproject.org/wiki/PackagingDrafts/SSLCertificateHandlingUpdate

Note that I've also removed the motivation part, extended it, and moved it outside the guidelines:
https://fedoraproject.org/wiki/User:Nmav/Pkcs11Status

That makes the guidelines easier to read.

https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling


I'm all for making things easier to read. I also wanted to point out that there's also a weird overlap between the SSLCertificateHandling guideline and https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup which talks about nothing except SSL certificates. And simplified https://fedoraproject.org/wiki/PackagingDrafts/SSLCertificateHandlingUpdate page to me doesn't seem to talk about SSL certificates at all, so perhaps both documents could use better names.

About the comment on SSLCertificateHandlingUpdate, this guideline is for SSL certificates stored in HSMs or smart cards. I have made the text more clear. We can rename the page to "SSLCertificateOnSmartCard" or to some better suggestion (maybe after approval).

Note that at some point in the not so distant future I would quite like to expand the scope of the application guidelines to cover certificates from files, along the lines of http://david.woodhou.se/draft-woodhouse-cert-best-practice.html

If we change the name now, I might want to change it back if we do merge file-based guidelines into it.

Other than that, everything looks good to me.

We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2016-12-08/fpc.2016-12-08-17.00.txt):

  • 665 SSLCertificateHandling policy update (geppetto, 17:47:51)

  • We'd like a diff. from current guidlines, just so we can easily know
    what changed (geppetto, 18:10:44)
  • See/answer random confused questions asked in meeting, we aren't
    pk11 experts (geppetto, 18:12:07)

I am not sure how I can provide a diff. However, note that on the original proposal [0], the sections Examples and Background are gone (they are informal and moved out of the document. That makes the proposal text four paragraphs (Solution - Proposal). Those two are expanded:

Original paragraph to its mapping:
* "Which provider to load?" maps to "How applications take advantage of registered provider modules" in [1]
* "How to specify a certificate?" maps to "How to specify an object stored in a smart card/HSM" in [1]
* "Client and server applications" maps to both paragraphs of [2].
* "PKCS#11 Providers" maps to "Registering the modules system-wide" and "How applications take advantage of registered provider modules" in [1]

The paragraph "How to specify a specific smart card/HSM" is new and extends "How to specify a certificate?"

[0]. https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling

[1]. https://fedoraproject.org/wiki/PackagingDrafts/Pkcs11Support

[2]. https://fedoraproject.org/wiki/PackagingDrafts/SSLCertificateHandlingUpdate

About "See/answer random confused questions asked in meeting, we aren't pk11 experts (geppetto, 18:12:07)" , I have no idea what the random confused questions are. Is there a link to them?

If you click on the link in my comment 5, you can see the full log. Dito. when we discussed it a bit today:

https://meetbot.fedoraproject.org/fedora-meeting-1/2016-12-15/fpc.2016-12-15-16.59.log.html

...in general we just aren't familiar with pkcs11 etc. so there's a balance between trying to understand and just hoping you and david have it right. I guess a general feeling was also "this looks complicated for normal packagers"

== Is it relevant for packaging guidelines? ==

17:52:58 <Rathann> surely we won't be packaging SSL certs on HSMs or smart cards...
17:53:27 <Rathann> I mean, that's also a way of packaging, but surely not RPM packaging ;)

I'd describe these guidelines as OS expectations from applications using smart cards. These intend to bring a consistent experience to users using smart cards. An example is, to specify my smart card key in openvpn I have to specify something like 'slot_1_1', in NSS applications I have to create a database and specify the label of object 'nikos-key'. These guidelines intend to unify the experience to the user by telling that he has to make sure that the application uses a consistent approach. What I write above is expanded at: https://fedoraproject.org/wiki/User:Nmav/Pkcs11Status#Problem_statement

== How does this relate to p11-kit? ==

17:57:58 <Rathann> current working examples are also useful, so I wouldn't move them out to a separate page
17:58:33 <racor> they are referring to a "p11-kit" - Are we supposed to invoke some install/uninstall scripts? No idea.

p11-kit provides a system-wide registry for the available modules (modules in this context is a synonym to a smart card driver). How to register a module is discussed at:
https://fedoraproject.org/wiki/PackagingDrafts/Pkcs11Support#Registering_the_modules_system-wide
Why we need to register a module system-wide is discussed at:
https://fedoraproject.org/wiki/User:Nmav/Pkcs11Status#No_central_registry_of_modules

== Do they need to be Requires:? ==

18:02:37 <racor> also, I suspect, there need to be some mandatory "Requires:" and/or "BuildRequires" somewhere.

Currently we require the (smart card driver) provider applications to install a file on a path such as $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/. No Requires or BuildRequires are needed.

== We need a diff ==

18:10:44 <geppetto> #info We'd like a diff. from current guidlines, just so we can easily know what changed

I have provided above the sections that replace the old sections. There is no 1-1 mapping and the document is organized differently so even if you could make a diff it will not help you much. The previous guidelines are bit compact and maybe confusing to someone not familiar with the topic. It would be easier if you handle it as new text which addresses the problem statement:
https://fedoraproject.org/wiki/User:Nmav/Pkcs11Status#Problem_statement

== Target audience of the pages ==

For PackagingDrafts/Pkcs11Support the audience are packagers which package drivers for smart cards (modules) and tools for handling cards. The last two sections, could also be relevant fpr packagers which have applications that use smart cards.

For PackagingDrafts/SSLCertificateHandlingUpdate the audience are packages which have applications that use smart cards for certificates or keys.

We discussed this at this weeks meeting (https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2017-01-05/fpc.2017-01-05-17.00.txt):

Metadata Update from @nmav:
- Issue assigned to james

7 years ago

Metadata Update from @tibbs:
- Issue assigned to tibbs (was: james)

7 years ago

Metadata Update from @tibbs:
- Issue close_status updated to: None
- Issue tagged with: committee

7 years ago

What is the status of this?

@james @tibbs it is almost a year. Is there any way I can help with that?

Tagging with meeting as @nmav approached me personally to bump this. Let's see what we can do here.

Metadata Update from @churchyard:
- Issue tagged with: meeting

5 years ago

When's the meeting? If you ping me on IRC I can drop in and attempt to handle "random, confused questions" :)

Usually on Thursdays at 16:00 UTC. #fedora-meeting-1

What should we do about this?

FYI, now guidelines are stored in this git repo so you can send Pull Request ;)

Metadata Update from @ignatenkobrain:
- Issue untagged with: meeting

5 years ago

@ignatenkobrain for whom is the question and the suggestion?

Looks good after briefly looking at the diff. So, +1 from me

Hmm, we were at +4 in the meeting as I recall but I don't see where that got recorded. This should bring us to +5. Will need to check the logs but I'm short on time today.

Yes, it was +4 in the meeting:

#info PR/821 is +4, 0, 0, decathorpe/redi can vote in the ticket

+1 from me too, for +6 total.

Login to comment on this ticket.

Metadata