Sharing Trust Policy between Crypto Libraries

Jaroslav Imrich jaroslav.imrich at
Thu Dec 27 14:27:10 PST 2012

Hi Stef,

I've read the document just before Christmas and I just wanted to say
that I did not find any apparent errors in it. I really like the way
you summarized the existing solutions and designed new one "on the top
of them". I wanted to suggest the use of the numbered chapters, but I
can see now you've done this already.

Kind Regards / S pozdravom

Jaroslav Imrich
jaroslav.imrich at

On Thu, Dec 20, 2012 at 6:38 PM, Stef Walter <stefw at> wrote:
> As many of you know, I've been working on a standard representation for
> sharing trust policy between crypto libraries.
> As it turns out the previous effort, called trust assertions [1]
> suffered from several limitations, which no doubt many of you
> recognized. I've since retired that concept [2].
> After a bunch of discussion and thought, I've put together what I feel
> is a representation of trust policy that is viable.
> At its core it has the concept of "Stapled Certificate Extensions".
> Basically: storing additional certificate extensions locally together
> with a certificate anchor in order to constrain how it's used.
> This document (which is a pretty early state) should explain more of how
> that works, and the rationale behind it:
> The bonus is, that this meshes perfectly into current certificate
> validation algorithms, is extensible, but at the same time pretty easy
> to implement or retrofit.
> Any time spent on looking this concept over, commenting, pointing out
> holes, etc. is super appreciated.
> Cheers,
> Stef
> [1]
> [2] Here's why:
> _______________________________________________
> p11-glue mailing list
> p11-glue at

More information about the p11-glue mailing list