Defining header for stapled certificate extensions

Nikos Mavrogiannopoulos nmav at
Wed Sep 10 04:25:40 PDT 2014

On Wed, 2014-09-10 at 10:14 +0200, Stef Walter wrote:

> >> Because trust policy should not only apply to anchor certificates, even
> >> though OpenSSL and GnuTLS currently assume that it does.
> > 
> > I'm not sure I quite understand here. We are talking about the p11-kit
> > trust module, and as defined now, its trust policy applies to Anchor
> > certificates only. 
> No it doesn't. p11-kit-trust has trust policy that applies to *any*
> certificate. Until now only NSS consumed that additional trust policy.

That's pretty dangerous; the documentation only mentions anchor
certificates and that's what gnutls assumes. So does the current p11-kit
module return normal certificates in addition to anchor certificates? 


More information about the p11-glue mailing list