On 10.09.2014 13:25, Nikos Mavrogiannopoulos wrote: > On Wed, 2014-09-10 at 10:14 +0200, Stef Walter wrote: > >>>> Because trust policy should not only apply to anchor certificates, even >>>> though OpenSSL and GnuTLS currently assume that it does. >>> >>> I'm not sure I quite understand here. We are talking about the p11-kit >>> trust module, and as defined now, its trust policy applies to Anchor >>> certificates only. >> >> No it doesn't. p11-kit-trust has trust policy that applies to *any* >> certificate. Until now only NSS consumed that additional trust policy. > > That's pretty dangerous; the documentation only mentions anchor > certificates and that's what gnutls assumes.
Please point out the dangerous portions of the documentation explicitly so we can fix them. Or the dangerous behavior... Interested in the specific issues. > So does the current p11-kit > module return normal certificates in addition to anchor certificates? Yes, you can store any kind of X.509 certificate in there, just like on other PKCS#11 tokens. In addition you can add attached certificate extensions to any certificate. That's the whole point of this document. The sets of anchor, blacklist, and attached extensions are conceptually distinct. Cheers, Stef -- s...@thewalter.net http://stef.thewalter.net _______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/p11-glue