Defining header for stapled certificate extensions
nmav at redhat.com
Wed Sep 10 04:25:40 PDT 2014
On Wed, 2014-09-10 at 10:14 +0200, Stef Walter wrote:
> >> Because trust policy should not only apply to anchor certificates, even
> >> though OpenSSL and GnuTLS currently assume that it does.
> > I'm not sure I quite understand here. We are talking about the p11-kit
> > trust module, and as defined now, its trust policy applies to Anchor
> > certificates only.
> No it doesn't. p11-kit-trust has trust policy that applies to *any*
> certificate. Until now only NSS consumed that additional trust policy.
That's pretty dangerous; the documentation only mentions anchor
certificates and that's what gnutls assumes. So does the current p11-kit
module return normal certificates in addition to anchor certificates?
More information about the p11-glue