Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > Lets assume accepting built in keys should is acceptable for all use > cases. Adding additional keys from userspace is probably not acceptable > for all use cases. Those keys should be added to specific 'trusted' > keyrings. > > EVM and IMA-appraisal have separate keyrings for this reason. I might > be interested in allowing third party packages to be installed and > executed, but that doesn't imply that a security.evm extended attribute, > signed by a third party application, is acceptable.
We should probably look at using the capability of X.509 certificates to indicate what a key may be used for and noting that in the public_key struct. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
