On 05.03.2014 18:02, Jan Cholasta wrote: > On 5.3.2014 13:20, Stef Walter wrote: >> On 03.03.2014 15:24, Jan Cholasta wrote: >>> On 3.3.2014 15:07, Stef Walter wrote: >>>> On 03.03.2014 15:03, Jan Cholasta wrote: >>>>> If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust >>>>> objects from the module? >>>> >>>> No. This is the spec for storing trust policy in PKCS#11 that we've >>>> been >>>> working on: >>>> >>>> http://p11-glue.freedesktop.org/doc/storing-trust-policy/ >>>> >>>> It's a far more extensible and future proof model. The p11-kit-trust >>>> module stores/loads these sorts of objects, and additionally also >>>> generates NSS trust objects on the fly so that NSS can consume the >>>> information. >>>> >>>> It doesn't do that last bit for third party sources, but it could given >>>> code :) >>> >>> Code is not a problem :) >>> >>> What would be the best way to provide trust policy to p11-kit from a >>> third party PKCS#11 module, if not NSS trust objects? >> >> I obviously think that using the new stuff linked above would be best. >> It's future proof and models this comprehensively. That would allow >> extracting compat trust anchors to files (for crypto libraries that >> don't yet support looking it up trust via PKCS#11). >> >> But I understand if you're hesitant to commit to this spec that's in >> development (albeit already implemented). > > Actually, I like it. Is everything mentioned at > <http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html> > going to be standardized?
Yes, that's the goal. Several people have been involved in reviewing the spec, and I'm going through a second batch of reviews from the NSS guys. Stef _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel