On Fri, Dec 19, 2014, Sean Leonard wrote: > > On Dec 19, 2014, at 11:35 AM, Kurt Roeckx <k...@roeckx.be> wrote: > > > On Fri, Dec 19, 2014 at 03:05:32PM +0000, Viktor Dukhovni wrote: > >> On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: > >> > >>> Does OpenSSL have documented someplace exactly what it means to have a > >>> "TRUSTED CERTIFICATE"? > >> > >> It is a certificate + auxiliary data which specifies a friendly name > >> plus a set of EKUs. > > > > Mozilla provides a list of root certificates and that includes at > > least the trust settings for that certificate. > > What exactly is the Mozilla (NSS) format? How does it differ from the OpenSSL > format? >
The last time I checked NSS stored the trust data in a database (Berkeley DB) and the trust attributes could be accessed via PKCS#11. I'm not aware of any way to export the certificates to a file which retains the trust settings. I'm not aware of any standard for trust settings. There certainly wasn't one when this was added to OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev