Re: [Freeipa-devel] LDAP schema for PKCS#11

Wed, 05 Mar 2014 09:02:32 -0800 

On 5.3.2014 13:20, Stef Walter wrote:

On 03.03.2014 15:24, Jan Cholasta wrote:

On 3.3.2014 15:07, Stef Walter wrote:

On 03.03.2014 15:03, Jan Cholasta wrote:

If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust
objects from the module?


No. This is the spec for storing trust policy in PKCS#11 that we've been
working on:

http://p11-glue.freedesktop.org/doc/storing-trust-policy/

It's a far more extensible and future proof model. The p11-kit-trust
module stores/loads these sorts of objects, and additionally also
generates NSS trust objects on the fly so that NSS can consume the
information.

It doesn't do that last bit for third party sources, but it could given
code :)


Code is not a problem :)

What would be the best way to provide trust policy to p11-kit from a
third party PKCS#11 module, if not NSS trust objects?


I obviously think that using the new stuff linked above would be best.
It's future proof and models this comprehensively. That would allow
extracting compat trust anchors to files (for crypto libraries that
don't yet support looking it up trust via PKCS#11).

But I understand if you're hesitant to commit to this spec that's in
development (albeit already implemented).



Actually, I like it. Is everything mentioned at 
<http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html> 
going to be standardized?




There's a third simple way to store trust, which is using standard
PKCS#11. It's very limited:

  * Store certificates with the CKA_TRUSTED attribute set to CKA_TRUE
    and CKA_CERTIFICATE_CATEGORY set to 2.

This method covers storing certificate authority anchors only. The above
spec is a superset of this simple way of storing trust. NSS trust
objects are not.

So I would suggest implementing this simple mechanism and then implement
the full spec later.


I'm afraid this is simple too much.



If you want to have a call/hangout about this and discuss, I'd be happy to.


Thanks!



Cheers,

Stef




--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel






















					Reply via email to