1. Forum
  2. tqwNet
  3. TQW LINUX

  • Addressing Linux's missing PKI infrastructure

    From LWN.net@1337:1/100 to All on Monday, December 08, 2025 18:00:07
    Addressing Linux's missing PKI infrastructure

    Date:
    Mon, 08 Dec 2025 17:48:35 +0000

    Description:
    Jon Seager, VP of engineering for Canonical, has announced a plan to develop
    a universal Public Key Infrastructure tool called
    upki: Earlier this year, LWN featured an excellent article titled
    " Linux's missing CRL
    infrastructure ". The article highlighted a number
    of key issues surrounding traditional Public Key Infrastructure (PKI),
    but critically noted how even the available measures are effectively
    ignored by the majority of system-level software on Linux. One of the motivators for the discussion is that the Online
    Certificate Status Protocol (OCSP) will cease to be supported by Let's
    Encrypt. The remaining alternative is to use Certificate Revocation
    Lists (CRLs), yet there is little or no support for managing (or even
    querying) these lists in most Linux system utilities. To solve this, I'm
    happy to share that in partnership with rustls maintainers Dirkjan Ochtman
    and Joe Birr-Pixton , we're starting the
    development of upki: a universal PKI tool. This project initially aims
    to close the revocation gap through the combination of a new system
    utility and eventual library support for common TLS/SSL libraries such
    as OpenSSL , GnuTLS and rustls . No code is available as of yet, but the announcement indicates that
    upki will be available as an opt-in preview for
    Ubuntu26.04LTS. Thanks to Dirjan Ochtman for the tip.

    ======================================================================
    Link to news story:
    https://lwn.net/Articles/1049663/


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)