[Freeipa-devel] LDAP schema for PKCS#11
Stef Walter
swalter at redhat.com
Fri Mar 14 17:23:08 UTC 2014
On 12.03.2014 16:31, Jan Cholasta wrote:
> On 12.3.2014 16:14, Stef Walter wrote:
>> On 05.03.2014 18:02, Jan Cholasta wrote:
>>> On 5.3.2014 13:20, Stef Walter wrote:
>>>> On 03.03.2014 15:24, Jan Cholasta wrote:
>>>>> On 3.3.2014 15:07, Stef Walter wrote:
>>>>>> On 03.03.2014 15:03, Jan Cholasta wrote:
>>>>>>> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS
>>>>>>> trust
>>>>>>> objects from the module?
>>>>>>
>>>>>> No. This is the spec for storing trust policy in PKCS#11 that we've
>>>>>> been
>>>>>> working on:
>>>>>>
>>>>>> http://p11-glue.freedesktop.org/doc/storing-trust-policy/
>>>>>>
>>>>>> It's a far more extensible and future proof model. The p11-kit-trust
>>>>>> module stores/loads these sorts of objects, and additionally also
>>>>>> generates NSS trust objects on the fly so that NSS can consume the
>>>>>> information.
>>>>>>
>>>>>> It doesn't do that last bit for third party sources, but it could
>>>>>> given
>>>>>> code :)
>>>>>
>>>>> Code is not a problem :)
>>>>>
>>>>> What would be the best way to provide trust policy to p11-kit from a
>>>>> third party PKCS#11 module, if not NSS trust objects?
>>>>
>>>> I obviously think that using the new stuff linked above would be best.
>>>> It's future proof and models this comprehensively. That would allow
>>>> extracting compat trust anchors to files (for crypto libraries that
>>>> don't yet support looking it up trust via PKCS#11).
>>>>
>>>> But I understand if you're hesitant to commit to this spec that's in
>>>> development (albeit already implemented).
>>>
>>> Actually, I like it. Is everything mentioned at
>>> <http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html>
>>>
>>> going to be standardized?
>>
>> Yes, that's the goal. Several people have been involved in reviewing the
>> spec, and I'm going through a second batch of reviews from the NSS guys.
>
> Great! Do you expect any big changes to happen during the review, or can
> the spec be considered stable enough to base an LDAP schema on it?
I'd like to think so. Yes.
Stef
More information about the Freeipa-devel
mailing list