Add justification about PKCS#11 URIs

author: Stef Walter <stef@thewalter.net> 2010-12-12 14:54:26 +0000
committer: Stef Walter <stef@thewalter.net> 2010-12-12 14:54:26 +0000
commit: 12f0e957f8058dd7c511374273faf68feb9ff4b2 (patch)
tree: 16b41d3825529426c050ec4a63f76e3c380f1108
parent: 672928ef3ebb536b5fbff0ded83128512acb05e8 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/trust-assertions.xml b/trust-assertions.xml
index 6a7e4a6..b8cba93 100644
--- a/trust-assertions.xml
+++ b/trust-assertions.xml
@@ -593,6 +593,21 @@
 					object leading to more complex lookup and modification operations.</para></listitem>
 			</itemizedlist>
 		</section>
+
+		<section>
+			<title>Why not use PKCS#11 URIs?</title>
+
+			<para>The <ulink url='http://tools.ietf.org/html/draft-pechanec-pkcs11uri-03'>PKCS#11 URI Scheme</ulink>
+				is a useful draft standard which can be used to identify objects stored on a PKCS#11
+				token. It has been suggested that a list of PKCS#11 URIs could be used to identify
+				which certificates are useful as certificate anchors.</para>
+
+			<para>As outlined above, positive trust assertions build up trust. Certificates used in positive
+				trust assertions must be identified by the certificate value or a hash thereof. PKCS#11
+				URIs do not have the ability to uniquely identify a certificate by its DER encoding or a
+				hash thereof.</para>
+		</section>
+
 	</section>
 
 </article>
author	Stef Walter <stef@thewalter.net>	2010-12-12 14:54:26 +0000
committer	Stef Walter <stef@thewalter.net>	2010-12-12 14:54:26 +0000
commit	12f0e957f8058dd7c511374273faf68feb9ff4b2 (patch)
tree	16b41d3825529426c050ec4a63f76e3c380f1108
parent	672928ef3ebb536b5fbff0ded83128512acb05e8 (diff)