OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pkcs11] Groups - Trust objects uploaded

Hi Bob,

 

Nits:

  • 1.1.2 Overview, third sentence, “it’s” should be “its”.
  • Page 3, paragraph 2 (starts with “CKA_TRUST_XXX attributes…”), second sentence, “in the template, the it” should be “in the template, then it”, or, to be consistent with the next bit, just “in the template, it”. I suspect the second sentence should be broken into two sentences, a semi-colon used in place of the comma, or an conjunction used with the comma.
  • Page 3, paragraph 3 should be something like “Applications choose which tokens can supply trust objects and what priority is assigned to those trust objects when they are processed.”
  • CKT_NOT_TRUSTED should be something like “The certificate is explicitly not trusted for the operation associated with the trust attribute. No trust chain using the certificate can be created even to an otherwise trusted root. This attribute can be used to ‘revoke’ intermediate CA certificates that have been compromised without removing trust from the parent certificate.”
  • CKT_TRUST_UNKNOWN should be something like “The certificate is neither trusted nor untrusted. This is the default when no trust attributes are attached to the certificate. In the final merged trust object CKT_TRUST_MUST_VERIFY_TRUST and CKT_TRUST_UNKNOWN have the same effect.”
  • Page 4, paragraph 1, sentence 1, should be something like “When processing a chain, applications may override trust based on the EKU or other extensions found in the certificate chain.”
  • Page 4, paragraph 2, sentence 1, should be something like “The following is a sample template for creating a trust object:”

 

Other comments/thoughts:

  • In my library I set CKA_ISSUER for CKC_X_509 certificates the same way I do for CKO_NETSCAPE_TRUST. It’s the DER-encoding of the issuer name in the certificate. Are they really different here?
  • Should CKA_HASH_OF_CERTIFICATE’s meaning entry just say “Hash of the certificate (default empty).” and not mention SHA-1?
  • CKA_NAME_HASH_ALGORITHM’s meaning should include CKA_HASH_OF_CERTIFICATE.
  • Does CKA_TOKEN need to be true or can it be false?
  • The footnotes should correspond to table 11 rather than being separately defined.
  • CKT_TRUSTED_DELEGATOR might be better as CKT_TRUST_ANCHOR.

 

Sincerely,

Jonathan

 

From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Robert Relyea
Sent: Wednesday, August 10, 2022 5:10 PM
To: pkcs11@lists.oasis-open.org
Subject: [EXT][pkcs11] Groups - Trust objects uploaded

 

THIS MESSAGE COMES FROM AN EXTERNAL SOURCE. PLEASE VERIFY THE CONTENTS OF THIS MESSAGE BEFORE PROCEEDING.

Submitter's message
First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect.
-- Mr. Robert Relyea

Document Name: Trust objects

Description
First cut at trust objects. document includes notes on how the current
private trust objects are used in NSS and differences between those trust
object and the proposed spect.
Download Latest Revision
Public Download Link

Submitter: Mr. Robert Relyea
Group: OASIS PKCS 11 TC
Folder: Working Drafts
Date submitted: 2022-08-10 15:10:10

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]