On 12.3.2014 16:14, Stef Walter wrote:
On 05.03.2014 18:02, Jan Cholasta wrote:
On 5.3.2014 13:20, Stef Walter wrote:
On 03.03.2014 15:24, Jan Cholasta wrote:
On 3.3.2014 15:07, Stef Walter wrote:
On 03.03.2014 15:03, Jan Cholasta wrote:
If you plug a PKCS#11 module into p11-kit, will p11-kit use NSS trust
objects from the module?
No. This is the spec for storing trust policy in PKCS#11 that we've
been
working on:
http://p11-glue.freedesktop.org/doc/storing-trust-policy/
It's a far more extensible and future proof model. The p11-kit-trust
module stores/loads these sorts of objects, and additionally also
generates NSS trust objects on the fly so that NSS can consume the
information.
It doesn't do that last bit for third party sources, but it could given
code :)
Code is not a problem :)
What would be the best way to provide trust policy to p11-kit from a
third party PKCS#11 module, if not NSS trust objects?
I obviously think that using the new stuff linked above would be best.
It's future proof and models this comprehensively. That would allow
extracting compat trust anchors to files (for crypto libraries that
don't yet support looking it up trust via PKCS#11).
But I understand if you're hesitant to commit to this spec that's in
development (albeit already implemented).
Actually, I like it. Is everything mentioned at
<http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html>
going to be standardized?
Yes, that's the goal. Several people have been involved in reviewing the
spec, and I'm going through a second batch of reviews from the NSS guys.
Great! Do you expect any big changes to happen during the review, or can
the spec be considered stable enough to base an LDAP schema on it?
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
