Defining header for stapled certificate extensions

Stef Walter stef at
Wed Sep 10 04:47:37 PDT 2014

On 10.09.2014 13:25, Nikos Mavrogiannopoulos wrote:
> On Wed, 2014-09-10 at 10:14 +0200, Stef Walter wrote:
>>>> Because trust policy should not only apply to anchor certificates, even
>>>> though OpenSSL and GnuTLS currently assume that it does.
>>> I'm not sure I quite understand here. We are talking about the p11-kit
>>> trust module, and as defined now, its trust policy applies to Anchor
>>> certificates only. 
>> No it doesn't. p11-kit-trust has trust policy that applies to *any*
>> certificate. Until now only NSS consumed that additional trust policy.
> That's pretty dangerous; the documentation only mentions anchor
> certificates and that's what gnutls assumes. 

Please point out the dangerous portions of the documentation explicitly
so we can fix them. Or the dangerous behavior... Interested in the
specific issues.

> So does the current p11-kit
> module return normal certificates in addition to anchor certificates? 

Yes, you can store any kind of X.509 certificate in there, just like on
other PKCS#11 tokens.

In addition you can add attached certificate extensions to any
certificate. That's the whole point of this document. The sets of
anchor, blacklist, and attached extensions are conceptually distinct.




stef at

More information about the p11-glue mailing list