[Freeipa-devel] LDAP schema for PKCS#11
Stef Walter
swalter at redhat.com
Wed Mar 12 15:14:01 UTC 2014
On 05.03.2014 18:02, Jan Cholasta wrote:
> On 5.3.2014 13:20, Stef Walter wrote:
>> On 03.03.2014 15:24, Jan Cholasta wrote:
>>> On 3.3.2014 15:07, Stef Walter wrote:
>>>> On 03.03.2014 15:03, Jan Cholasta wrote:
>>>>> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust
>>>>> objects from the module?
>>>>
>>>> No. This is the spec for storing trust policy in PKCS#11 that we've
>>>> been
>>>> working on:
>>>>
>>>> http://p11-glue.freedesktop.org/doc/storing-trust-policy/
>>>>
>>>> It's a far more extensible and future proof model. The p11-kit-trust
>>>> module stores/loads these sorts of objects, and additionally also
>>>> generates NSS trust objects on the fly so that NSS can consume the
>>>> information.
>>>>
>>>> It doesn't do that last bit for third party sources, but it could given
>>>> code :)
>>>
>>> Code is not a problem :)
>>>
>>> What would be the best way to provide trust policy to p11-kit from a
>>> third party PKCS#11 module, if not NSS trust objects?
>>
>> I obviously think that using the new stuff linked above would be best.
>> It's future proof and models this comprehensively. That would allow
>> extracting compat trust anchors to files (for crypto libraries that
>> don't yet support looking it up trust via PKCS#11).
>>
>> But I understand if you're hesitant to commit to this spec that's in
>> development (albeit already implemented).
>
> Actually, I like it. Is everything mentioned at
> <http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html>
> going to be standardized?
Yes, that's the goal. Several people have been involved in reviewing the
spec, and I'm going through a second batch of reviews from the NSS guys.
Stef
More information about the Freeipa-devel
mailing list