On Tue, 2016-02-16 at 11:08 +0100, Tomas Mraz wrote: > > unfortunately probably due to no mention of the public meetings in the > official DevConf schedule - they were mentioned only on a separate page > in the DevConf brochure - there was only a single non-redhatter that > appeared at the meeting. > > We had some informal discussion with him and the redhatters that were > present. The conclusion was that our team should probably focus more on > the crypto libraries support for the stapled extensions and using the > trust store directly via the p11-kit-trust PKCS#11 module and not > through the extracted certificate lists - namely OpenSSL lacks this > support and probably should be the first priority to fix before any > development of high-level trust management application/API should > start. I concur. We desperately need to fix the lack of PKCS#11 support in OpenSSL. I'd love to see a suitably-licensed (re)implementation of libp11 added directly to crypto/pkcs11 and properly integrated. Not strictly *system CA* certificate... but we also need to fix NSS to be compliant with the Fedora guidelines about using the correct tokens as configured by p11-kit, and allowing applications to specify objects by their PKCS#11 URI. Was that discussed? There was... bizarreness... last time I raised it on the Mozilla dev-tech-crypto list. -- David Woodhouse Open Source Technology Centre David.Woodhouse@xxxxxxxxx Intel Corporation
<<attachment: smime.p7s>>
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
