Skip to content
This repository has been archived by the owner on Apr 29, 2021. It is now read-only.

Trust Store Management Guide #9

Closed
dasgituser opened this issue Aug 16, 2016 · 14 comments
Closed

Trust Store Management Guide #9

dasgituser opened this issue Aug 16, 2016 · 14 comments
Labels
Audience - Engineers general overview Priority - High

Comments

@dasgituser
Copy link
Contributor

@dasgituser (Dave Silver) and @tkpk (Giuseppe Cimmino) are converting the FPKI Management Authority''s Trust Store Management Guide to a playbook. The Federal Public Key Infrastructure Management Authority designed and created the Trust Store Management Guide as an education resource for Department, Agency, corporate, and other organizational system level administrators and managers who use the Federal Public Key Infrastructure (FPKI) as part of regular business practices.
@MattKing1
Copy link

The Trust Store Management Guide can be found here.

@djpackham djpackham mentioned this issue Sep 28, 2016
Closed
@godadada
Copy link
Contributor

Hi Participants,

I have been assigned this issue. Please let me know the status, open, closed etc?

Thanks
Chunde

@weirdscience
Copy link
Contributor

I do not think it has been totally converted. Trust store management part hasn't been added (e.g. How to trim/modify Microsoft, apple, Mozilla trust stores)

@godadada
Copy link
Contributor

Thanks Ken.
I will carry on the conversion.
Any further info is much appreciated: requirements, pointers to contacts who may know more, etc?

@lachellel
Copy link
Member

Please see a portion of the outline here:

From the document directly:

  • Section 2.1 is dangerous and not recommended (removing all trusted roots)
  • Section 2.2 can be copied from PIV guides and trust stores - no need for screenshots as the location is more important than Windows based steps
  • Section 2.3 same as 2.2 - and we started the information here: https://github.com/GSA/fpki-guides/blob/staging/pages/fpki_crls.md
  • Section 2.4 is in piv-guides (and it's not quite a GPO, which was feedback when the doc was originally published)
  • Section 2.5 has a placeholder in the top link in this issue post
  • Section 2.6 same as Section 2.5

@godadada
Copy link
Contributor

Thanks Lachellel.

@godadada
Copy link
Contributor

Near term To do list for Trust Store Management Guide #9

  1. Conversion to github/md

  2. Trust store management
    How to trim/modify MS, Apple, Mozilla, Adobe trust store
    Finish “How do I manager a Trust Store?
    Follow the templet done for MS OS

  3. Section 2.1 is dangerous and not recommended (removing all trusted roots)

  4. Section 2.2 can be copied from PIV guides and trust stores - no need for screenshots as the location is more important than Windows based steps

  5. Section 2.3 same as 2.2 - and we started the information here: https://github.com/GSA/fpki-guides/blob/staging/pages/fpki_crls.md

  6. Section 2.4 is in piv-guides (and it's not quite a GPO, which was feedback when the doc was originally published)

  7. Section 2.5 has a placeholder in the top link in this issue post

  8. Section 2.6 same as Section 2.5

@lachellel
Copy link
Member

@godadada
I just merged #71 from @weirdscience. Including additions to trust stores.

wrt

Conversion to github/md

Most has been completed for minimum viable

@godadada
Copy link
Contributor

"Trust Store" and "Trust Anchor Store" seem to be same concept; but the later is used by IETF RFC 6024, 5914, and 5934. Also it highlights the entry point of trust by using "Anchor". I would suggest we use "Trust Anchor Store" in place of "Trust Store".

Thanks
Chunde

@lachellel
Copy link
Member

What do normal engineers understand best? [RFC is not a plain language model. sorry IETF colleagues!]

I used Trust Store because I found it to appeal to a broader audience: https://piv.idmanagement.gov/piv-guides/networkconfig/trustedroots/

And searches online. 👍

truststore is also java language (keystore vs truststore)

https doesn't use either and explained the requirements in even broader terms, plain language, focused on an audience: https://https.cio.gov/certificates/

Don't have a strong opinion except that we have 1) consistency and 2) it works for the intended audience

@clstmbrly
Copy link
Contributor

Agree that we should use “Trust Store,” since it is accepted by a broader audience. Recommend that because the IETF RFCs use the term, “Trust Anchor Store,” we include a footnote (at first mention of “Trust Store” in the text) that explains: “‘Trust Anchor Store’ is also an industry-accepted term. See RFCs 5914, 5934, and 6024.” If a bibliography will be included in the FPKI Guides, then we should add the full document references for the 3 RFCs.

@godadada
Copy link
Contributor

godadada commented Apr 21, 2017
edited
Loading

@lachellel

Hey Lachellel,
I do not find the PIV Guide of item 4 of your list above applicable to the Trust Store. Please point out specific content from PIV Guide you want me to copy.
Could you also elaborate "Section 2.6 same as Section 2.5"?

Thanks
Chunde

@clstmbrly
Copy link
Contributor

@lachellel @djpackham In "The most common Trust Stores belong to what vendors?" section table, under the Adobe entry, the link given was for www.apple.com (a mistake, I'm pretty sure). @godadada is searching for a correct link. In the meantime, for the Pull Request, I put in this link that I found: https://helpx.adobe.com/acrobat/kb/approved-trust-list2.html.

@lachellel
Copy link
Member

closed via #101 and previous prs

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Audience - Engineers general overview Priority - High
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@godadada @lachellel @weirdscience @dasgituser @MattKing1 @clstmbrly