OASIS PKCS 11 TC

Submitter's message First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect. -- Mr. Robert Relyea Document Name : Trust objects Description First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect. Download Latest Revision Public Download Link Submitter : Mr. Robert Relyea Group : OASIS PKCS 11 TC Folder : Working Drafts Date submitted : 2022-08-10 15:10:10

My attempt to improve this is attached with tracked changes, comments and questions. Biggest omission in my mind is a clear statement about how exactly trust objects are to be matched with certs… clearly 1) issuer/serial number or 2) hash (or both) would suffice, but I don’t see an explicit statement to the effect that “1 or 2 is required” to actually make the object useful. I think match should be defined and then used in step 1 of the typical application flow.   -mjm     From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Robert Relyea Sent: Wednesday, August 10, 2022 3:10 PM To: pkcs11@lists.oasis-open.org Subject: [pkcs11] Groups - Trust objects uploaded   Submitter's message First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect. -- Mr. Robert Relyea Document Name : Trust objects Description First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect. Download Latest Revision Public Download Link Submitter : Mr. Robert Relyea Group : OASIS PKCS 11 TC Folder : Working Drafts Date submitted : 2022-08-10 15:10:10   Attachment: pkcs11_trust_object.docx Description: pkcs11_trust_object.docx

On 2/15/23 8:53 AM, Michael Markowitz wrote: My attempt to improve this is attached with tracked changes, comments and questions. Biggest omission in my mind is a clear statement about how exactly trust objects are to be matched with certs clearly 1) issuer/serial number or 2) hash (or both) would suffice, but I don t see an explicit statement to the effect that 1 or 2 is required to actually make the object useful. I think match should be defined and then used in step 1 of the typical application flow. Thanks Michael. Both have to match. issuer/serial number is used to look up the trust object, the hash verifies that the trust object applies to the cert. This is necessary because someone could create a bogus root cert that matches the issuer/seriall number, but not be the trusted cert. I'll look at your proposed wording. bob -mjm From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Robert Relyea Sent: Wednesday, August 10, 2022 3:10 PM To: pkcs11@lists.oasis-open.org Subject: [pkcs11] Groups - Trust objects uploaded Submitter's message First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect. -- Mr. Robert Relyea Document Name : Trust objects Description First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect. Download Latest Revision Public Download Link Submitter : Mr. Robert Relyea Group : OASIS PKCS 11 TC Folder : Working Drafts Date submitted : 2022-08-10 15:10:10

Hi,
this latest upload appears to be based on the older version of the proposal, not the latest one.
It has the older CKA_ISSUER, and possibly other older content.
 
DJ
 


From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>
On Behalf Of Robert Relyea
Sent: Wednesday, February 15, 2023 2:52 PM
To: Michael Markowitz <markowitz@infoseccorp.com>; pkcs11@lists.oasis-open.org
Subject: Re: [pkcs11] Groups - Trust objects uploaded


 

On 2/15/23 8:53 AM, Michael Markowitz wrote:


My attempt to improve this is attached with tracked changes, comments and questions. Biggest omission in my mind is a clear statement about how exactly trust objects are to be
matched with certs clearly 1) issuer/serial number or 2) hash (or both) would suffice, but I don t see an explicit statement to the effect that 1 or 2 is required to actually make the object useful. I think
match should be defined and then used in step 1 of the typical application flow.

Thanks Michael. Both have to match. issuer/serial number is used to look up the trust object, the hash verifies that the trust object applies to the cert. This is necessary because someone could create a bogus root cert that matches the issuer/seriall number,
but not be the trusted cert. I'll look at your proposed wording.
 
bob

 
-mjm
 
 

From: pkcs11@lists.oasis-open.org
<pkcs11@lists.oasis-open.org>
On Behalf Of Robert Relyea
Sent: Wednesday, August 10, 2022 3:10 PM
To: pkcs11@lists.oasis-open.org
Subject: [pkcs11] Groups - Trust objects uploaded

 
Submitter's message
First cut at trust objects. document includes notes on how the current private trust objects are used in NSS and differences between those trust object and the proposed spect.

-- Mr. Robert Relyea




Document Name :

Trust objects







Description
First cut at trust objects. document includes notes on how the current
private trust objects are used in NSS and differences between those trust
object and the proposed spect.
Download
Latest Revision
Public
Download Link







Submitter : Mr. Robert Relyea
Group : OASIS PKCS 11 TC
Folder : Working Drafts
Date submitted : 2022-08-10 15:10:10