comparison with other stored security state mechanisms [was: Re: Sharing Trust Policy between Crypto Libraries]
tg at tgbit.net
Tue Jan 15 01:16:16 PST 2013
>>>>> On Tue, 15 Jan 2013 01:17:29 -0500, Simo Sorce <simo at redhat.com> said:
> It would be much easier to just write files out.
> Otherwise you are forced to refuse any cert if the daemon is not available
I started from the files idea, and would prefer something simple without a
daemon process. Writing just one file per host would not be enough, as we also
need to store additional metadata. It would involve creating directories for
each hostname:port:protocol, which would contain the raw cert/pubkey for
pinning, additional files for flags and attributes, and a lock file. If a
process crashes, it could leave lock files behind, though, which would have to
be detected and cleaned up.
More information about the p11-glue