summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--trust-assertions.xml15
1 files changed, 15 insertions, 0 deletions
diff --git a/trust-assertions.xml b/trust-assertions.xml
index 6a7e4a6..b8cba93 100644
--- a/trust-assertions.xml
+++ b/trust-assertions.xml
@@ -593,6 +593,21 @@
object leading to more complex lookup and modification operations.</para></listitem>
</itemizedlist>
</section>
+
+ <section>
+ <title>Why not use PKCS#11 URIs?</title>
+
+ <para>The <ulink url='http://tools.ietf.org/html/draft-pechanec-pkcs11uri-03'>PKCS#11 URI Scheme</ulink>
+ is a useful draft standard which can be used to identify objects stored on a PKCS#11
+ token. It has been suggested that a list of PKCS#11 URIs could be used to identify
+ which certificates are useful as certificate anchors.</para>
+
+ <para>As outlined above, positive trust assertions build up trust. Certificates used in positive
+ trust assertions must be identified by the certificate value or a hash thereof. PKCS#11
+ URIs do not have the ability to uniquely identify a certificate by its DER encoding or a
+ hash thereof.</para>
+ </section>
+
</section>
</article>