[Freeipa-devel] LDAP schema for PKCS#11
Stef Walter
swalter at redhat.com
Wed Mar 5 12:20:52 UTC 2014
On 03.03.2014 15:24, Jan Cholasta wrote:
> On 3.3.2014 15:07, Stef Walter wrote:
>> On 03.03.2014 15:03, Jan Cholasta wrote:
>>> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust
>>> objects from the module?
>>
>> No. This is the spec for storing trust policy in PKCS#11 that we've been
>> working on:
>>
>> http://p11-glue.freedesktop.org/doc/storing-trust-policy/
>>
>> It's a far more extensible and future proof model. The p11-kit-trust
>> module stores/loads these sorts of objects, and additionally also
>> generates NSS trust objects on the fly so that NSS can consume the
>> information.
>>
>> It doesn't do that last bit for third party sources, but it could given
>> code :)
>
> Code is not a problem :)
>
> What would be the best way to provide trust policy to p11-kit from a
> third party PKCS#11 module, if not NSS trust objects?
I obviously think that using the new stuff linked above would be best.
It's future proof and models this comprehensively. That would allow
extracting compat trust anchors to files (for crypto libraries that
don't yet support looking it up trust via PKCS#11).
But I understand if you're hesitant to commit to this spec that's in
development (albeit already implemented).
There's a third simple way to store trust, which is using standard
PKCS#11. It's very limited:
* Store certificates with the CKA_TRUSTED attribute set to CKA_TRUE
and CKA_CERTIFICATE_CATEGORY set to 2.
This method covers storing certificate authority anchors only. The above
spec is a superset of this simple way of storing trust. NSS trust
objects are not.
So I would suggest implementing this simple mechanism and then implement
the full spec later.
If you want to have a call/hangout about this and discuss, I'd be happy to.
Cheers,
Stef
More information about the Freeipa-devel
mailing list