Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

Mimi Zohar wrote: > The x509_validate_trust() was originally added for IMA to ensure, on a > secure boot system, a certificate chain of trust rooted in hardware. > The IMA MOK keyring extends this certificate chain of trust to the > running system. The problem is that

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

On Wed, 2016-01-06 at 13:21 +, David Howells wrote: > Mimi Zohar wrote: > > > The x509_validate_trust() was originally added for IMA to ensure, on a > > secure boot system, a certificate chain of trust rooted in hardware. > > The IMA MOK keyring extends this

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

Mimi Zohar wrote: > Once the builtin keys are loaded onto the system keyring, isn't the > system keyring locked? No. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

On Tue, 2016-01-05 at 16:39 +, David Howells wrote: > Mimi Zohar wrote: > > > You're missing Petko's patch: > > 41c89b6 IMA: create machine owner and blacklist keyrings > > Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK > keyring

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

On 16-01-06 13:21:27, David Howells wrote: > Mimi Zohar wrote: > > > The x509_validate_trust() was originally added for IMA to ensure, on a > > secure boot system, a certificate chain of trust rooted in hardware. The > > IMA > > MOK keyring extends this certificate

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

Mimi Zohar wrote: > You're missing Petko's patch: > 41c89b6 IMA: create machine owner and blacklist keyrings It should also be cc'd to the keyrings mailing list. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

On 16-01-05 16:40:31, David Howells wrote: > Mimi Zohar wrote: > > > You're missing Petko's patch: > > 41c89b6 IMA: create machine owner and blacklist keyrings > > It should also be cc'd to the keyrings mailing list. Right. If i am not terribly mistaken there's no

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

On Tue, 2016-01-05 at 15:47 +, David Howells wrote: > If a certificate is self-signed, don't bother checking the validity of the > signature. The cert cannot be checked by validation against the next one > in the chain as this is the root of the chain. Trust for this certificate > can only

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

Mimi Zohar wrote: > You're missing Petko's patch: > 41c89b6 IMA: create machine owner and blacklist keyrings Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK keyring under all circumstances. David -- To unsubscribe from this list: send the

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

David Howells wrote: > If a certificate is self-signed, don't bother checking the validity of the > signature. The cert cannot be checked by validation against the next one > in the chain as this is the root of the chain. Trust for this certificate > can only be determined

[RFC PATCH] X.509: Don't check the signature on apparently self-signed keys

If a certificate is self-signed, don't bother checking the validity of the signature. The cert cannot be checked by validation against the next one in the chain as this is the root of the chain. Trust for this certificate can only be determined by whether we obtained it from a trusted location