comparison with other stored security state mechanisms [was: Re: Sharing Trust Policy between Crypto Libraries]

Nikos Mavrogiannopoulos nmav at
Mon Jan 14 15:59:52 PST 2013

On 01/04/2013 10:33 PM, Stef Walter wrote:


> I agree with the various posts that there would be value in sharing
> public key pinning information between implementations (especially
> when multiple implementations are working with the same protocol and
> hosts, ie: http).
> Certificate Trust Policy
> Obviously these two trust schemes can be used together. In addition
> they could both share a blacklist of public keys.
> So in my opinion, these can be complementary, could live in the same
> store (eg: as PKCS#11 objects), but we I don't think we should try to
> shoe-horn them into the same concept and implement them the same way.

No they don't, but as I understand the purpose[*] of "Sharing Trust
Policy between Crypto Libraries" is to have a common certificate/key
verification. 3 years ago sharing the CAs and a purpose would have been
sufficient, but today certificate verification involves more steps than

If the new steps (such as pinning), are left as an exercise to the
reader the common certificate/key verification is only partially possible.

An unrelated comment I have is that it may be better to define a simple
API to read and write the trust policy information rather than its
storage format. That way each OS could select its own back-ends and
applications will rely on a system library available everywhere.

[*]. I may be wrong on that. That would be my purpose :)


More information about the p11-glue mailing list