Sharing Trust Policy between Crypto Libraries

Stef Walter stefw at redhat.com
Thu Dec 20 09:38:09 PST 2012


As many of you know, I've been working on a standard representation for
sharing trust policy between crypto libraries.

As it turns out the previous effort, called trust assertions [1]
suffered from several limitations, which no doubt many of you
recognized. I've since retired that concept [2].

After a bunch of discussion and thought, I've put together what I feel
is a representation of trust policy that is viable.

At its core it has the concept of "Stapled Certificate Extensions".
Basically: storing additional certificate extensions locally together
with a certificate anchor in order to constrain how it's used.

This document (which is a pretty early state) should explain more of how
that works, and the rationale behind it:

http://p11-glue.freedesktop.org/doc/sharing-trust-policy/

The bonus is, that this meshes perfectly into current certificate
validation algorithms, is extensible, but at the same time pretty easy
to implement or retrofit.

Any time spent on looking this concept over, commenting, pointing out
holes, etc. is super appreciated.

Cheers,

Stef

[1] http://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/

[2] Here's why:
http://p11-glue.freedesktop.org/doc/sharing-trust-policy/#trust-assertions


More information about the p11-glue mailing list