Spec: Trust Assertions
Note: Trust assertions were a conceptual way to share trust information. They have been withdrawn as a solution worth gathering around. The current discussion is directed towards Stapled Certificate Extensions and Sharing Trust Policy.
The following remains here for historical reference.
A trust assertion represents a single piece of information about the user's or system's trust preferences. These can be used to make consistent trust decisions.
There's a specification for how trust assertions work, and how they can be stored within PKCS#11.
NSS uses similar method of storing trust information, called Trust Objects, which were studied as part of this research. But they had too many drawbacks to make them the candidate for adoption as a 'glue' mechanism.
However implementors of trust assertions can easily support NSS-style trust objects at the same time. Gnome Keyring for example does this.
- Specification draft: pkcs11-trust-assertions
- Header: pkcs11-trust-assertions.h
- Talk by Stef Walter: Video | Slides
The source code is available via git.
$ git clone git://anongit.freedesktop.org/p11-glue/pkcs11-trust-assertions
Implementations and Integration
- Gnome Keyring's xdg-store module: Storage trust assertions via PKCS#11.
- Gcr library trust lookup/store functions: Helper functions for storing and looking up trust assertions via PKCS#11.
- Glib Library GTlsDatabase PKCS#11 database: Will use trust assertions to lookup root anchor certificates, and pinned certificates (In progress).
- Empathy: Uses trust assertions to lookup trust anchor certificates, and store pinned certificates.
- CRL PKCS#11 Module: (Planned)
- System Certificates Module: (Planned)