Defining header for stapled certificate extensions

Stef Walter stef at thewalter.net
Wed Sep 10 04:47:37 PDT 2014


On 10.09.2014 13:25, Nikos Mavrogiannopoulos wrote:
> On Wed, 2014-09-10 at 10:14 +0200, Stef Walter wrote:
> 
>>>> Because trust policy should not only apply to anchor certificates, even
>>>> though OpenSSL and GnuTLS currently assume that it does.
>>>
>>> I'm not sure I quite understand here. We are talking about the p11-kit
>>> trust module, and as defined now, its trust policy applies to Anchor
>>> certificates only. 
>>
>> No it doesn't. p11-kit-trust has trust policy that applies to *any*
>> certificate. Until now only NSS consumed that additional trust policy.
> 
> That's pretty dangerous; the documentation only mentions anchor
> certificates and that's what gnutls assumes. 

Please point out the dangerous portions of the documentation explicitly
so we can fix them. Or the dangerous behavior... Interested in the
specific issues.

> So does the current p11-kit
> module return normal certificates in addition to anchor certificates? 

Yes, you can store any kind of X.509 certificate in there, just like on
other PKCS#11 tokens.

In addition you can add attached certificate extensions to any
certificate. That's the whole point of this document. The sets of
anchor, blacklist, and attached extensions are conceptually distinct.

Cheers,

Stef

-- 

stef at thewalter.net
http://stef.thewalter.net


More information about the p11-glue mailing list