On Mon, Apr 09, 2012 at 12:01:18PM -0400, Daniel Kahn Gillmor wrote: > >> Can you propose a mechanism such that this info would not get lost? > > > > X509 has a way to embed the trust in the certificate itself, see > > "TRUST SETTINGS" in openssl's x509 manpage. > > This looks like it only works with PEM output, and it appends chunks of > (base64-encoded) ASN.1 data after the initial base64-encoded ASN.1 blob > of the certificate. The header and footer of the PEM output changes > from -----BEGIN CERTIFICATE----- to -----BEGIN TRUSTED CERTIFICATE----- > which makes it so the certificate apparently can't be read by NSS's > certutil. A cursory search doesn't turn up any sort of spec for > -----BEGIN TRUSTED CERTIFICATE----- ; do you know if that's documented > somewhere?
>From looking at the openssl source, it actually seems to allow to use of "BEGIN CERTIFICATE" for ceritificates with trust information (X509_AUX), and I'm not sure why they added the TRUSTED part. I assume that it's not supported for DER because the X.690 standard doesn't allow it, and so they changed it so that only applications knowing how to deal with them would read the files. Anyway, if we really want to go this way NSS will need to be modified anyway. Other libraries might also need to be updated to be able to support reading those files, and doing something useful with the extra information that is in them. Kurt -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120409164219.ga14...@roeckx.be
