Hi,
this latest upload appears to be based on the older version of the proposal, not the latest one.
It has the older CKA_ISSUER, and possibly other older content.
DJ
From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>
On Behalf Of Robert Relyea
Sent: Wednesday, February 15, 2023 2:52 PM
To: Michael Markowitz <markowitz@infoseccorp.com>; pkcs11@lists.oasis-open.org
Subject: Re: [pkcs11] Groups - Trust objects uploaded
On 2/15/23 8:53 AM, Michael Markowitz wrote:
My attempt to improve this is attached with tracked changes, comments and questions. Biggest omission in my mind is a clear statement about how exactly trust objects are to be
matched with certsâ clearly 1) issuer/serial number or 2) hash (or both) would suffice, but I donât see an explicit statement to the effect that â1 or 2 is requiredâ to actually make the object useful. I think
match should be defined and then used in step 1 of the typical application flow.
Thanks Michael. Both have to match. issuer/serial number is used to look up the trust object, the hash verifies that the trust object applies to the cert. This is necessary because someone could create a bogus root cert that matches the issuer/seriall number,
but not be the trusted cert. I'll look at your proposed wording.
bob
-mjm
Submitter's message
First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect.
-- Mr. Robert Relyea
Document Name:
Trust objects
Description
First cut at trust objects. document includes notes on how the current
private trust objects are used in NSS and differences between those trust
object and the proposed spect.
Download
Latest Revision
Public
Download Link
Submitter: Mr. Robert Relyea
Group: OASIS PKCS 11 TC
Folder: Working Drafts
Date submitted: 2022-08-10 15:10:10
|