Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > Lets assume accepting built in keys should is acceptable for all use > cases. Adding additional keys from userspace is probably not acceptable > for all use cases. Those keys should be added to specific 'trusted' > keyrings. > > EVM and IMA-appraisal have separate keyrings for this reason. I might > be interested in allowing third party packages to be installed and > executed, but that doesn't imply that a security.evm extended attribute, > signed by a third party application, is acceptable. We should probably look at using the capability of X.509 certificates to indicate what a key may be used for and noting that in the public_key struct. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
