Sharing Trust Policy between Crypto Libraries

[Jaroslav Imrich]

Hi Stef,

I've read the document just before Christmas and I just wanted to say
that I did not find any apparent errors in it. I really like the way
you summarized the existing solutions and designed new one "on the top
of them". I wanted to suggest the use of the numbered chapters, but I
can see now you've done this already.

-- 
Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jimrich.sk
jaroslav.imrich at gmail.com


On Thu, Dec 20, 2012 at 6:38 PM, Stef Walter <stefw at redhat.com> wrote:
> As many of you know, I've been working on a standard representation for
> sharing trust policy between crypto libraries.
>
> As it turns out the previous effort, called trust assertions [1]
> suffered from several limitations, which no doubt many of you
> recognized. I've since retired that concept [2].
>
> After a bunch of discussion and thought, I've put together what I feel
> is a representation of trust policy that is viable.
>
> At its core it has the concept of "Stapled Certificate Extensions".
> Basically: storing additional certificate extensions locally together
> with a certificate anchor in order to constrain how it's used.
>
> This document (which is a pretty early state) should explain more of how
> that works, and the rationale behind it:
>
> http://p11-glue.freedesktop.org/doc/sharing-trust-policy/
>
> The bonus is, that this meshes perfectly into current certificate
> validation algorithms, is extensible, but at the same time pretty easy
> to implement or retrofit.
>
> Any time spent on looking this concept over, commenting, pointing out
> holes, etc. is super appreciated.
>
> Cheers,
>
> Stef
>
> [1] http://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/
>
> [2] Here's why:
> http://p11-glue.freedesktop.org/doc/sharing-trust-policy/#trust-assertions
> _______________________________________________
> p11-glue mailing list
> p11-glue at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/p11-glue