From 12f0e957f8058dd7c511374273faf68feb9ff4b2 Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@thewalter.net>
Date: Sun, 12 Dec 2010 14:54:26 +0000
Subject: Add justification about PKCS#11 URIs

---
 trust-assertions.xml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/trust-assertions.xml b/trust-assertions.xml
index 6a7e4a6..b8cba93 100644
--- a/trust-assertions.xml
+++ b/trust-assertions.xml
@@ -593,6 +593,21 @@
 					object leading to more complex lookup and modification operations.</para></listitem>
 			</itemizedlist>
 		</section>
+
+		<section>
+			<title>Why not use PKCS#11 URIs?</title>
+
+			<para>The <ulink url='http://tools.ietf.org/html/draft-pechanec-pkcs11uri-03'>PKCS#11 URI Scheme</ulink>
+				is a useful draft standard which can be used to identify objects stored on a PKCS#11
+				token. It has been suggested that a list of PKCS#11 URIs could be used to identify
+				which certificates are useful as certificate anchors.</para>
+
+			<para>As outlined above, positive trust assertions build up trust. Certificates used in positive
+				trust assertions must be identified by the certificate value or a hash thereof. PKCS#11
+				URIs do not have the ability to uniquely identify a certificate by its DER encoding or a
+				hash thereof.</para>
+		</section>
+
 	</section>
 
 </article>
-- 
cgit v1.2.3