Re: [PATCH v3 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed

From: Mimi Zohar
Date: Thu Dec 15 2022 - 05:22:11 EST

Next message: Robin Murphy: "Re: [PATCH v7 23/25] PCI: dwc: Restore DMA-mask after MSI-data allocation"
Previous message: Mimi Zohar: "Re: [PATCH v3 00/10] Add CA enforcement keyring restrictions"
In reply to: Eric Snowberg: "[PATCH v3 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed"
Next in thread: Eric Snowberg: "[PATCH v3 03/10] KEYS: X.509: Parse Basic Constraints for CA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Eric,

On Tue, 2022-12-13 at 19:33 -0500, Eric Snowberg wrote:
> Currently X.509 intermediate certs with the CA flag set to false do not
> have the endorsed CA (KEY_FLAG_ECA) set. Allow these intermediate certs to
> be added. Requirements for an intermediate include: Usage extension
> defined as keyCertSign, Basic Constrains for CA is false, and the
> intermediate cert is signed by a current endorsed CA.

Intermediary keys should have the CA flag enabled as well. Why is
this needed? At least for the new Kconfig, please keep it simple as
to which certificates may be added to the machine keyring.

thanks,

Mimi

Next message: Robin Murphy: "Re: [PATCH v7 23/25] PCI: dwc: Restore DMA-mask after MSI-data allocation"
Previous message: Mimi Zohar: "Re: [PATCH v3 00/10] Add CA enforcement keyring restrictions"
In reply to: Eric Snowberg: "[PATCH v3 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed"
Next in thread: Eric Snowberg: "[PATCH v3 03/10] KEYS: X.509: Parse Basic Constraints for CA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]