On Wed, 2014-09-10 at 10:03 +0200, Stef Walter wrote: > >> Because such a certificate would be invalid. > >> The whole point of attaching certificate extensions outside the > >> certificate is exactly because they cannot be replaced in the > >> certificate itself due to the signature. > > > > Why would that matter? The signature in an anchor certificate is not > > verified as part of the verification process, and the caller would be > > calling for exactly that, a certificate with its extensions overridden > > with the local policy. > > Because trust policy should not only apply to anchor certificates, even > though OpenSSL and GnuTLS currently assume that it does.
I'm not sure I quite understand here. We are talking about the p11-kit trust module, and as defined now, its trust policy applies to Anchor certificates only. That has nothing to do with openssl or gnutls. Nevertheless, I understand that this API was derived from NSS, and that's the way NSS was doing its work. I just realized we can simplify much things given the constraints and features of the p11-kit trust module. regards, Nikos _______________________________________________ p11-glue mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/p11-glue
