Re: gnome-keyring trust assertions

[Yaron Sheffer <yaronf gmx com>]

Hi Stef,

On 12/14/2010 05:14 PM, Stef Walter wrote:
> On 2010-12-14 01:01, Yaron Sheffer wrote:
> > On 12/13/2010 07:07 PM, Stef Walter wrote:
> > [...]
> > PKIX cert validation is complex, and I am not an expert. But I'm afraid
> > we have to fully specify the cert chain algorithm as you did. So we have
> > to cover all corner cases, including expiration etc.
> I don't understand why we would need to specify things like expiration.
> Aren't they covered by 'Step 5' in the 'Building a Certificate Chain'
> section? Could you explain further?
I suppose they are covered indeed.
> > Regarding Anchored Assertions, I suggest to clarify: "These assertions
> > are only evaluated when associated with the root of the constructed
> > certificate chain. They are ignored if associated with any intermediate
> > certificate in the chain."
> I don't think that's the case. An intermediate certificate may be
> anchored. See step 3 in 'Building a Certificate Chain'. RFC 5280 allows
> for this, as do most PKI implementations.
So the question is, can you have multiple CA certs in a chain have 
anchored assertions associated with them. And then:
- Do you only use the "top" assertion?
- Only the "bottom" (most specific) assertion?
- An additive combination of all assertions along the path?
> > I'm afraid we should be aligned with
> > http://tools.ietf.org/html/rfc5280#section-6 (probably ignoring much of
> > their "policy" stuff).
> Good plan. I'll study this further to see what it says when multiple
> paths are available.
>
> Cheers,
>
> Stef