On Tue, May 16, 2017 at 10:52 AM, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On 16/05/2017 19:36, Peter Bowen wrote: >> >> My experience is that Mozilla is very open to taking patches and will >> help contributors get things into acceptable form, so I'm sure they >> would be happy to take patches if there is demand for such. It is >> fairly important that someone who is going to use the attributes put >> together the patch, otherwise it may prove to be useless. For >> example, I could easily create a patch that add a CKA_TRUST_FILTER >> attribute that is designed to be fed into a case statement to indicate >> the filter to be applied. Based on the code, it looks like I probably >> needs a "cnnic" case, a "wosign" case, and a "globalsignr2" case. >> This meets my needs, but it might not need your needs. >> > > Ok, can you point me to any "graduated trust" actually present in > certdata.txt ?
See the CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, and CKA_TRUST_STEP_UP_APPROVED attributes in CKO_NSS_TRUST class objects. They all represent non-binary trust of roots, similar to that contained in the OpenSSL X509_AUX structure mentioned much earlier in the thread. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy