On Tue, 2022-03-08 at 18:02 +0000, Eric Snowberg wrote: > > On Mar 8, 2022, at 5:45 AM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > Agreed, as long as the other two criteria are also met: CA and keyUsage > > should be required and limited to keyCertSign. > > I have added the key_is_ca in the public_key header. I can look at adding the usage > too. Before doing this I would like to understand the "limited to" above. Many CA keys > that have keyCertSign set, also have digitalSignature set for key usage. For > example: > > http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt > > Are you saying we would want to exclude a CA like the one above, since it as the > digitalSignature usage set too? Yes, the "machine" keyring is defining a new root of trust to support allowing end-users the ability "to add their own keys and sign modules they trust". There should be a clear distinction between keys used for certificate signing from those used for code signing. Certificate signing keys should be added to the .machine keyring. Code signing keys should be added to the IMA keyring. thanks, Mimi
