stapling extensions to public keys instead of certificates? [was: Re: Sharing Trust Policy between Crypto Libraries]

Daniel Kahn Gillmor dkg at
Thu Jan 3 13:48:25 PST 2013

On 01/03/2013 03:45 PM, Nikos Mavrogiannopoulos wrote:
> One small patch also to allow for a subjectpublickeyinfo structure
> instead of a full certificate.

heh.   one of my side notes was about whether it makes sense to want to
staple these extensions to public keys instead of (or in addition to)

At the very least, i think that we should be capable of blacklisting
public keys directly (to avoid re-use of a blacklisted key in a new

But i also think it might be more complicated than nikos' proposed
simple patch suggests.

For example, let's say i encounter a certificate with extension X (it
doesn't have extension Y).  If i pin new contents of extension X to the
public key directly, and a new certificate (with extension Y) shows up
using the same public key, then the new certificate will be evaluated in
the context of extensions X and Y combined.

I suspect there are cases where the combination means something rather


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the p11-glue mailing list