Defining header for stapled certificate extensions

Nikos Mavrogiannopoulos nmav at
Wed Sep 10 01:10:09 PDT 2014

On Wed, 2014-09-10 at 10:03 +0200, Stef Walter wrote:

> >> Because such a certificate would be invalid.
> >> The whole point of attaching certificate extensions outside the
> >> certificate is exactly because they cannot be replaced in the
> >> certificate itself due to the signature.
> > 
> > Why would that matter? The signature in an anchor certificate is not
> > verified as part of the verification process, and the caller would be
> > calling for exactly that, a certificate with its extensions overridden
> > with the local policy.
> Because trust policy should not only apply to anchor certificates, even
> though OpenSSL and GnuTLS currently assume that it does.

I'm not sure I quite understand here. We are talking about the p11-kit
trust module, and as defined now, its trust policy applies to Anchor
certificates only. That has nothing to do with openssl or gnutls.

Nevertheless, I understand that this API was derived from NSS, and
that's the way NSS was doing its work. I just realized we can simplify
much things given the constraints and features of the p11-kit trust


More information about the p11-glue mailing list