On 12.03.2014 16:31, Jan Cholasta wrote: > On 12.3.2014 16:14, Stef Walter wrote: >> On 05.03.2014 18:02, Jan Cholasta wrote: >>> On 5.3.2014 13:20, Stef Walter wrote: >>>> On 03.03.2014 15:24, Jan Cholasta wrote: >>>>> On 3.3.2014 15:07, Stef Walter wrote: >>>>>> On 03.03.2014 15:03, Jan Cholasta wrote: >>>>>>> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS >>>>>>> trust >>>>>>> objects from the module? >>>>>> >>>>>> No. This is the spec for storing trust policy in PKCS#11 that we've >>>>>> been >>>>>> working on: >>>>>> >>>>>> http://p11-glue.freedesktop.org/doc/storing-trust-policy/ >>>>>> >>>>>> It's a far more extensible and future proof model. The p11-kit-trust >>>>>> module stores/loads these sorts of objects, and additionally also >>>>>> generates NSS trust objects on the fly so that NSS can consume the >>>>>> information. >>>>>> >>>>>> It doesn't do that last bit for third party sources, but it could >>>>>> given >>>>>> code :) >>>>> >>>>> Code is not a problem :) >>>>> >>>>> What would be the best way to provide trust policy to p11-kit from a >>>>> third party PKCS#11 module, if not NSS trust objects? >>>> >>>> I obviously think that using the new stuff linked above would be best. >>>> It's future proof and models this comprehensively. That would allow >>>> extracting compat trust anchors to files (for crypto libraries that >>>> don't yet support looking it up trust via PKCS#11). >>>> >>>> But I understand if you're hesitant to commit to this spec that's in >>>> development (albeit already implemented). >>> >>> Actually, I like it. Is everything mentioned at >>> <http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html> >>> >>> going to be standardized? >> >> Yes, that's the goal. Several people have been involved in reviewing the >> spec, and I'm going through a second batch of reviews from the NSS guys. > > Great! Do you expect any big changes to happen during the review, or can > the spec be considered stable enough to base an LDAP schema on it?
I'd like to think so. Yes. Stef _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
