Hi, I'm doing a few experiments with p11-kit's trust module. I'm wondering if it's possible to modify a trust anchor that exists in a .p11-kit file via some syntax that I could place in a different .p11-kit file. In particular, I want to apply some extra constraints to a root CA from the Mozilla CA list, but I don't want to edit the .p11-kit file that contains the Mozilla CA list, since that file is managed by Fedora's package manager and will presumably get overwritten periodically outside of my control. So I figure it would be useful to put those extra constraints in a different .p11-kit file that isn't managed by the package manager.
I have no idea whether this is a supported use case at the moment. In my testing, I wasn't able to make any extra constraints take effect unless they were part of the .p11-kit file that contains the Mozilla CA list, but I'm pretty new to p11-kit, so I wouldn't be at all surprised if I'm simply doing something wrong. I figure I should probably check whether this is even intended to be possible before I continue trying to debug why it's not working for me. (The lack of documentation of the .p11-kit format definitely doesn't make it any easier for me to tell if I'm doing something wrong.) Cheers, -- -Jeremy Rand Lead Application Engineer at Namecoin Mobile email: jeremyrandmob...@airmail.cc Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C Send non-security-critical things to my Mobile with OpenPGP. Please don't send me unencrypted messages. My business email jer...@veclabs.net is having technical issues at the moment.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
