[Freeipa-devel] LDAP schema for PKCS#11

[Jan Cholasta]

On 12.3.2014 16:14, Stef Walter wrote:
> On 05.03.2014 18:02, Jan Cholasta wrote:
>> On 5.3.2014 13:20, Stef Walter wrote:
>>> On 03.03.2014 15:24, Jan Cholasta wrote:
>>>> On 3.3.2014 15:07, Stef Walter wrote:
>>>>> On 03.03.2014 15:03, Jan Cholasta wrote:
>>>>>> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust
>>>>>> objects from the module?
>>>>>
>>>>> No. This is the spec for storing trust policy in PKCS#11 that we've
>>>>> been
>>>>> working on:
>>>>>
>>>>> http://p11-glue.freedesktop.org/doc/storing-trust-policy/
>>>>>
>>>>> It's a far more extensible and future proof model. The p11-kit-trust
>>>>> module stores/loads these sorts of objects, and additionally also
>>>>> generates NSS trust objects on the fly so that NSS can consume the
>>>>> information.
>>>>>
>>>>> It doesn't do that last bit for third party sources, but it could given
>>>>> code :)
>>>>
>>>> Code is not a problem :)
>>>>
>>>> What would be the best way to provide trust policy to p11-kit from a
>>>> third party PKCS#11 module, if not NSS trust objects?
>>>
>>> I obviously think that using the new stuff linked above would be best.
>>> It's future proof and models this comprehensively. That would allow
>>> extracting compat trust anchors to files (for crypto libraries that
>>> don't yet support looking it up trust via PKCS#11).
>>>
>>> But I understand if you're hesitant to commit to this spec that's in
>>> development (albeit already implemented).
>>
>> Actually, I like it. Is everything mentioned at
>> <http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html>
>> going to be standardized?
>
> Yes, that's the goal. Several people have been involved in reviewing the
> spec, and I'm going through a second batch of reviews from the NSS guys.

Great! Do you expect any big changes to happen during the review, or can 
the spec be considered stable enough to base an LDAP schema on it?

Honza

-- 
Jan Cholasta