Storing Trust Policy, round two

Stef Walter stefw at
Thu Jun 13 05:00:38 PDT 2013

Long in coming, but I've updated the document we were discussing earlier
this year. Once again, the goal is to define a model and representation
where we can share basic trust information between crypto libraries/apps.

Thanks for all the helpful comments and insight. Here are some notes on
what's changed:

Split up the document into an more abstract model, with representations
documented separately. Currently only one representation (PKCS#11) has
been fleshed out. Placeholders for several others exist. Looking forward
to working together on others as the need arises.

Clarified the scope of the document. Currently the scope is representing
anchors and black lists. Although this is clearly targeted at validating
certificate chains for TLS and SSL, the feedback everyone gave allows it
to be more useful than just that. For example, the blacklist contains
public keys, so it could be used for things like SSH as well.

In the future we can tackle key pinning (and related certificate
exceptions). Removed this from the document at present.

Clarified that applications/implementations use additional trust
information along with the shared information as input.

Clarified that this is about local storage, not sharing information
remotely. Removed the erroneous attempt at defining an ASN.1 format.

Trust anchors are no longer only certificates, although that is one
(very common) form that they take. The model allows for public keys to
be trust anchors.

Updated the NSS trust object documentation based on insight received
from Bob Relyea.

Added information about layering various stores (system trust vs. user
defined trust).

In all I hope this revision makes much more sense than the previous
extremely rough document.

Thanks again for your insight and comments.

As before, the git repo for the document is here:

FWIW, the p11-kit trust module implements parts of this model, and I'll
work to bring it in line with what's in the document.



More information about the p11-glue mailing list