Defining header for stapled certificate extensions
nmav at redhat.com
Wed Sep 10 00:58:05 PDT 2014
On Wed, 2014-09-10 at 09:53 +0200, Stef Walter wrote:
> >> Obviously not all callers may be willing to change their entire
> >> implementation around to do this, and might choose an approach which
> >> ends up at the same result.
> > I think API-wise this approach is very cumbersome. After searching the
> > PKCS #11 module for an issuer certificate, an implementation must start
> > searching for the overridden extensions, and replace them in the
> > certificate.
> > Why not simplify, and provide a search option for an anchor certificate
> > that has already its overridden extensions replaced?
> Because such a certificate would be invalid.
> The whole point of attaching certificate extensions outside the
> certificate is exactly because they cannot be replaced in the
> certificate itself due to the signature.
Why would that matter? The signature in an anchor certificate is not
verified as part of the verification process, and the caller would be
calling for exactly that, a certificate with its extensions overridden
with the local policy.
More information about the p11-glue