Addressing Linux's missing PKI infrastructure

Jon Seager, VP of engineering for Canonical, has announceda plan to develop a universal Public Key Infrastructure tool calledupki:

Earlier this year, LWN featured an excellent article titled"Linux's missing CRLinfrastructure". The article highlighted a numberof key issues surrounding traditional Public Key Infrastructure (PKI),but critically noted how even the available measures are effectivelyignored by the majority of system-level software on Linux.

One of the motivators for the discussion is that the OnlineCertificate Status Protocol (OCSP) will cease to be supported by Let'sEncrypt. The remaining alternative is to use Certificate RevocationLists (CRLs), yet there is little or no support for managing (or evenquerying) these lists in most Linux system utilities.

To solve this, I'm happy to share that in partnership with rustlsmaintainers Dirkjan Ochtmanand Joe Birr-Pixton, we're starting thedevelopment of upki: a universal PKI tool. This project initially aimsto close the revocation gap through the combination of a new systemutility and eventual library support for common TLS/SSL libraries suchas OpenSSL, GnuTLS and rustls.

No code is available as of yet, but the announcement indicates thatupki will be available as an opt-in preview forUbuntu26.04LTS. Thanks to Dirjan Ochtman for the tip.