| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7d61852678d1652030ce9c7c2f906217c5c4ce06.camel@linux.ibm.com>
Date: Thu, 15 Dec 2022 05:21:17 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Eric Snowberg <eric.snowberg@...cle.com>, jarkko@...nel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org,
herbert@...dor.apana.org.au, davem@...emloft.net,
dmitry.kasatkin@...il.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, pvorel@...e.cz, noodles@...com, tiwai@...e.de,
kanth.ghatraju@...cle.com, konrad.wilk@...cle.com,
erpalmer@...ux.vnet.ibm.com, coxu@...hat.com,
keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH v3 07/10] KEYS: X.509: Flag Intermediate CA certs as
endorsed
Hi Eric,
On Tue, 2022-12-13 at 19:33 -0500, Eric Snowberg wrote:
> Currently X.509 intermediate certs with the CA flag set to false do not
> have the endorsed CA (KEY_FLAG_ECA) set. Allow these intermediate certs to
> be added. Requirements for an intermediate include: Usage extension
> defined as keyCertSign, Basic Constrains for CA is false, and the
> intermediate cert is signed by a current endorsed CA.
Intermediary keys should have the CA flag enabled as well. Why is
this needed? At least for the new Kconfig, please keep it simple as
to which certificates may be added to the machine keyring.
thanks,
Mimi
Powered by blists - more mailing lists