> On Dec 12, 2022, at 2:44 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > Hi Eric, Coiby, > > On Fri, 2022-12-09 at 15:44 +0000, Eric Snowberg wrote: >>> On Dec 9, 2022, at 3:26 AM, Coiby Xu <coxu@xxxxxxxxxx> wrote: >>> >>> Thanks for your work! The patch set looks good to me except for the >>> requirement of an intermediate CA certificate should be vouched for by a >>> root CA certificate before it can vouch for other certificates. What if >>> users only want to enroll an intermediate CA certificate into the MOK? >> >> This question would need to be answered by the maintainers. The intermediate >> requirement was based on my understanding of previous discussions requiring >> there be a way to validate root of trust all the way back to the root CA. > > That definitely did not come from me. My requirement all along has > been to support a single self-signed CA certificate for the end > user/customer use case, so that they could create and load their own > public key, signed by that CA, onto the trusted IMA/EVM keyrings. > >> >>> If this requirement could be dropped, the code could be simplified and >>> some issues could be resolved automatically, >> >> Agreed. I will make sure the issue below is resolved one way or the other, >> once we have an agreement on the requirements. > > I totally agree with Coiby that there is no need for intermediate CA > certificates be vouched for by a root CA certificate. In fact the > closer the CA certificate is to the leaf code signing certificate, the > better. As much as possible we want to limit the CA keys being loaded > onto the machine keyring to those that are absolutely required. Ok, I will change this in the next round. The confusion around the requirement comes from the request to validate the cert is self-signed. The intermediate in this case will not be self signed. As long as this check is not necessary, I will drop it from the code and allow the intermediate to vouch for the ima key without the root being present. Thanks for clearing this up.
