stapling extensions to public keys instead of certificates? [was: Re: Sharing Trust Policy between Crypto Libraries]

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Fri Jan 4 15:15:26 PST 2013

On 01/04/2013 04:12 PM, Simo Sorce wrote:

> On Thu, 2013-01-03 at 23:28 +0100, Stef Walter wrote:
>> Which raises the question (for me at least):
>> If it makes sense to store trust policy associated the public key *of*
>> a certificate instead of the certificate itself (see question above),
>> then should stapled certificate extensions should always be associated
>> with a given public key, and never with a certificate directly?
>> Obviously this depends on the earlier questions.
> Why would it make any sense to store trust policies associated to a key
> rather than the cert ? 

Think what is the difference of raw key with a certificate. The
certificate contains additional information added by a CA. So for local
policies, whether it is a raw key that you set them or a certificate has
no difference.

For example you receive an ssh key. You store it and use the policy: SSH
key. There is no need to contain it in a dummy certificate for that.
The same for DNSSEC keys.


More information about the p11-glue mailing list