[Freeipa-devel] LDAP schema for PKCS#11

Jan Cholasta jcholast at redhat.com
Wed Mar 5 17:02:44 UTC 2014 

On 5.3.2014 13:20, Stef Walter wrote:
> On 03.03.2014 15:24, Jan Cholasta wrote:
>> On 3.3.2014 15:07, Stef Walter wrote:
>>> On 03.03.2014 15:03, Jan Cholasta wrote:
>>>> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust
>>>> objects from the module?
>>>
>>> No. This is the spec for storing trust policy in PKCS#11 that we've been
>>> working on:
>>>
>>> http://p11-glue.freedesktop.org/doc/storing-trust-policy/
>>>
>>> It's a far more extensible and future proof model. The p11-kit-trust
>>> module stores/loads these sorts of objects, and additionally also
>>> generates NSS trust objects on the fly so that NSS can consume the
>>> information.
>>>
>>> It doesn't do that last bit for third party sources, but it could given
>>> code :)
>>
>> Code is not a problem :)
>>
>> What would be the best way to provide trust policy to p11-kit from a
>> third party PKCS#11 module, if not NSS trust objects?
>
> I obviously think that using the new stuff linked above would be best.
> It's future proof and models this comprehensively. That would allow
> extracting compat trust anchors to files (for crypto libraries that
> don't yet support looking it up trust via PKCS#11).
>
> But I understand if you're hesitant to commit to this spec that's in
> development (albeit already implemented).

Actually, I like it. Is everything mentioned at 
<http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html> 
going to be standardized?

>
> There's a third simple way to store trust, which is using standard
> PKCS#11. It's very limited:
>
>   * Store certificates with the CKA_TRUSTED attribute set to CKA_TRUE
>     and CKA_CERTIFICATE_CATEGORY set to 2.
>
> This method covers storing certificate authority anchors only. The above
> spec is a superset of this simple way of storing trust. NSS trust
> objects are not.
>
> So I would suggest implementing this simple mechanism and then implement
> the full spec later.

I'm afraid this is simple too much.

>
> If you want to have a call/hangout about this and discuss, I'd be happy to.

Thanks!

>
> Cheers,
>
> Stef
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list