I'm working on adding to certmonger the ability to read the IPA root certificate from the server and store it locally, and I'm looking at the V4 shared certificate store feature [1] with an eye toward also pulling down and processing those certificates. Before I head down that path, I've got a few questions about the schema that the page describes for storing trust information.
Is the ipaKeyTrust attribute meant to be a part of the ipaKeyPolicy object class? Looking at the ipaKeyTrust attribute, the description suggests that it's a directoryString that should contain one of 'unknown', 'trusted', or 'distrusted' as its value. The syntax doesn't guarantee that, and that ambiguity makes me a little nervous. Any chance of tweaking the schema to remove that possibility? The ipaKeyExtUsage attribute, along with ipaKeyTrust values of 'trusted' and 'distrusted', appears to map pretty directly to the sort of information that OpenSSL stores in trusted certificates [2], but going through the man pages for x509(1) and verify(1), I don't see anything that obviously corresponds to an ipaKeyTrust value of 'unknown'. What's that value intended to signify, and how would consumers of the certificates be expected to treat certificates from entries with that ipaKeyTrust value? Are there examples of what the ipaKeyUsage attribute should contain? Is there a recommended method for mapping from this representation to the form that we'd pass to certutil(1)'s '-t' option when storing the certificates in NSS databases, or is the intent that it be translated into NSS-specific PKCS#11 attributes set on those certificates? Thanks, Nalin [1] http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store [2] http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html#openssl-trusted _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel