Navigation Item - Trust Stores Page about fpki-guides HOT 4 CLOSED

@lachellel

Would it be useful to include a table of the different trust stores (i.e. Microsoft, Apple, NSS, Java, etc.) that includes a brief description of each, as well as other resourceful links, the status of Common root cert for each trust store, and any other relevant info related to Trust Stores and FPKI?

from fpki-guides.

Yes, IMO.

The Trust Store guide is very explicit to only one trust store, and doesn't address all or even why.

• the "GPO" section isn't a GPO
• suggesting to remove all other trust anchors can cause failures to boot; only suggest for specific purposes and outline what those are 👎
• piv-guides, specific to trust stores for some network items right now: https://github.com/GSA/piv-guides/blob/staging/_networkconfig/3_managingtrustroots.md

This item:

This process will have to be conducted every time a new certificate is issued by a FPKI CA.

• How do I do this? How do I know when something has changed? Who tells me? Do I get an alert? Do I check a webpage? Do I perform a query? How often should I check?

for this item:

A better method is to set your system to conduct dynamic path validation or use a SCVP service.

• if I do dynamic, are all my workstations or servers going to download files? from where? how big is this?

All items above would be additional to consider. Minimum first IMO.

from fpki-guides.

Sorry, computer died mid pull. They are the same.

from fpki-guides.

The trust store part has been addressed. Is this ready to close? It seems there are three different issues here. This also addresses some of #9

1. Information on Trust Stores and Common Policy
2. How to conduct trust store management to trust FPKI certificates
3. How to establish dynamic path validation (one issuer per type of platform)

Should this all be integrated with the PIV guide or vice versa? FPKI as the main guide with a section specific to PIV?

from fpki-guides.