comparison with other stored security state mechanisms [was: Re: Sharing Trust Policy between Crypto Libraries]

Gabor Toth tg at
Tue Jan 15 01:16:16 PST 2013

>>>>> On Tue, 15 Jan 2013 01:17:29 -0500, Simo Sorce <simo at> said:

> It would be much easier to just write files out.
> Otherwise you are forced to refuse any cert if the daemon is not available

I started from the files idea, and would prefer something simple without a
daemon process. Writing just one file per host would not be enough, as we also
need to store additional metadata. It would involve creating directories for
each hostname:port:protocol, which would contain the raw cert/pubkey for
pinning, additional files for flags and attributes, and a lock file. If a
process crashes, it could leave lock files behind, though, which would have to
be detected and cleaned up.


More information about the p11-glue mailing list