Defining header for stapled certificate extensions

Nikos Mavrogiannopoulos nmav at
Wed Sep 10 01:05:32 PDT 2014

On Wed, 2014-09-10 at 09:57 +0200, Stef Walter wrote:

> >> Sure I can do it. There is no list. But I guess we can reference the
> >> PKIX list, and then note the specific cases where we deviate from
> >> their behavior.
> > 
> > I'd prefer to restrict the scope. The RFC5280 extension are very
> > extensive with very different requirements, which may not apply to a
> > system-wide certificate store. Also, as I user of the trust store, I
> > don't support all the RFC5280 extensions, and I'd like to know which
> > extensions to support in order to use the trust store. Otherwise, if I'm
> > expected to implement every single bit of RFC5280 to support the trust
> > store, I should give up from now.
> It really isn't that hard.
> In general you should retrieve extensions from the trust store for the
> extensions you already process on any certificate.
> For example if you add support for respecting NameConstraints in a
> certificate chain, at that point you start retrieving the attached
> NameConstraints certificate extensions and processing them as if they
> were on the certificates.
> If you currently *don't* support NameConstraints then don't bother
> retrieving them from the trust store.

The point is, that I want to support whatever the trust store supports,
and as it is now I have no idea what the trust store supports. You point
to RFC5280 and say potentially everything, but this is pointless, as the
trust store doesn't provide the tooling to override any possible
extension in RFC5280. Are there tools to override extensions in the
trust store? How do the existing overrides get there?

> > That is because with p11-kit, I'd have no idea about the policies
> and
> > features, meaning more risky usage of it, as it is used without
> context.
> > I believe the p11-kit trust module should provide a profile of the
> > available policies, and features (something like the quote below).
> I can copy and paste the text from RFC5280 if that would make you
> happy,
> and note exceptions. In general we support any certificate extension
> that RFC5280 supports, but our callers may not support them all.

I believe we are talking past each other. By support, I am not referring
to a potential future implementation. If today I want to add
NameConstraints in a CA in the trust store, can I do it with some tools?
If yes, which tools are they, and which other extensions do they


More information about the p11-glue mailing list