summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stef@thewalter.net>2010-12-12 14:54:26 +0000
committerStef Walter <stef@thewalter.net>2010-12-12 14:54:26 +0000
commit12f0e957f8058dd7c511374273faf68feb9ff4b2 (patch)
tree16b41d3825529426c050ec4a63f76e3c380f1108
parent672928ef3ebb536b5fbff0ded83128512acb05e8 (diff)
Add justification about PKCS#11 URIs
-rw-r--r--trust-assertions.xml15
1 files changed, 15 insertions, 0 deletions
diff --git a/trust-assertions.xml b/trust-assertions.xml
index 6a7e4a6..b8cba93 100644
--- a/trust-assertions.xml
+++ b/trust-assertions.xml
@@ -593,6 +593,21 @@
object leading to more complex lookup and modification operations.</para></listitem>
</itemizedlist>
</section>
+
+ <section>
+ <title>Why not use PKCS#11 URIs?</title>
+
+ <para>The <ulink url='http://tools.ietf.org/html/draft-pechanec-pkcs11uri-03'>PKCS#11 URI Scheme</ulink>
+ is a useful draft standard which can be used to identify objects stored on a PKCS#11
+ token. It has been suggested that a list of PKCS#11 URIs could be used to identify
+ which certificates are useful as certificate anchors.</para>
+
+ <para>As outlined above, positive trust assertions build up trust. Certificates used in positive
+ trust assertions must be identified by the certificate value or a hash thereof. PKCS#11
+ URIs do not have the ability to uniquely identify a certificate by its DER encoding or a
+ hash thereof.</para>
+ </section>
+
</section>
</article>