Defining header for stapled certificate extensions
Stef Walter
stef at thewalter.net
Wed Sep 10 04:47:37 PDT 2014
On 10.09.2014 13:25, Nikos Mavrogiannopoulos wrote:
> On Wed, 2014-09-10 at 10:14 +0200, Stef Walter wrote:
>
>>>> Because trust policy should not only apply to anchor certificates, even
>>>> though OpenSSL and GnuTLS currently assume that it does.
>>>
>>> I'm not sure I quite understand here. We are talking about the p11-kit
>>> trust module, and as defined now, its trust policy applies to Anchor
>>> certificates only.
>>
>> No it doesn't. p11-kit-trust has trust policy that applies to *any*
>> certificate. Until now only NSS consumed that additional trust policy.
>
> That's pretty dangerous; the documentation only mentions anchor
> certificates and that's what gnutls assumes.
Please point out the dangerous portions of the documentation explicitly
so we can fix them. Or the dangerous behavior... Interested in the
specific issues.
> So does the current p11-kit
> module return normal certificates in addition to anchor certificates?
Yes, you can store any kind of X.509 certificate in there, just like on
other PKCS#11 tokens.
In addition you can add attached certificate extensions to any
certificate. That's the whole point of this document. The sets of
anchor, blacklist, and attached extensions are conceptually distinct.
Cheers,
Stef
--
stef at thewalter.net
http://stef.thewalter.net
More information about the p11-glue
mailing list