Misc. tweaks. FCS id added.

2 files changed, 41 insertions, 16 deletions

diff --git a/doc/Certificates.txt b/doc/Certificates.txt
index 8c7acf7..6a71526 100644
--- a/doc/Certificates.txt
+++ b/doc/Certificates.txt
@@ -1,27 +1,49 @@
-Certificate Authority
----------------------
-CA Certificate is placed in /etc/ssl/certs/ and name closely to CN of
-organisation ( s/ /_/g ) appended "_CA.crt".
-
-CA Key is located in /etc/ssl/private/ named similarly appended
-"_CA.key".
-
-Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy
-locating by scripts.
+Public Key Infrastructure (PKI)
+===============================
 
 Hosts
 -----
-Host certificates are placed in /etc/ssl/certs/ either named by the
-service they provide appended ".pem", or symlinked with that name from
+Host certificates can be either self-signed or signed by a CA. The
+private key can be either embedded into the same file as the certificate 
+or in a separate file.
+
+The simplest form is a self-signed certificate with null-password 
+embedded key.
+
+Self-signed host certificates contain both certificate and key in same
+file. The file is placed in /etc/ssl/certs/ named by the service it
+provides appended ".pem".
+
+CA signed host certificates , or symlinked with that name from
 hostname.key or whatever makes best sense in the situation, either with
 the key embedded or the key at the same place.
 
 The script /usr/share/local/localmksslcerts can be used to make
 self-signed certificates with embedded keys.
 
+Certificate Authority
+---------------------
+CA Certificates are divided in a public certificate and a private key.
+
+The CA certificate is placed in /etc/ssl/certs/ and named loosely by the
+CN of the organisation using digits [a-zA-Z0-9_-], appended "_CA.pem".
+
+Example: IT_guide_dr_Jones_CA.pem
+
+CA Key is located in /etc/ssl/private/ equally named.
+
+Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy
+locating by scripts.
+
+Read here about confusion between commercial CAs and actual security:
+http://www.counterpane.com/pki-risks.html
+
 Users
 -----
 Have a look at this web page:
 http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml
 
 The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux.
+
+-- 
+$Id: Certificates.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $
diff --git a/doc/Email.txt b/doc/Email.txt
index 5adfca6..dc1d5a4 100644
--- a/doc/Email.txt
+++ b/doc/Email.txt
@@ -1,8 +1,9 @@
 Mail Transport Agents (MTA)
 ---------------------------
-Postfix is generally used currently.
+Postfix is a good choice as allround MTA: Robust, elegant configuration
+logic, extreme scalability.
 
-A pool of Mail eXchange servers are registered in the file
+A pool of mail exchange (MX) backup servers is listed in the file
 /etc/local-COMMON/postfix/permit_mx_backup_networks
 (/etc/local-COMMON/postfix/mx_networks is deprecated!).
 
@@ -67,6 +68,8 @@ some of the frustrations about getting SASL to work). Run the command
 `lsof | grep sasl` to make sure.
 
 ------------
-Have a look here for an overview of interaction between the above agents
-and daemons:
+Here's a brief overview of interaction between mail agents and daemons:
 http://lists.samba.org/pipermail/linux/1999-September/003605.html
+
+-- 
+$Id: Email.txt,v 1.2 2002-12-28 02:03:20 jonas Exp $