Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2916857rwb; Fri, 9 Dec 2022 07:50:12 -0800 (PST) X-Google-Smtp-Source: AA0mqf5Wq1s1hDNO5hZh6J0yNNrsnnruJc7hvUSIDjPevDCkheVgVWaorCROb5vxf6ZhOJy07VMy X-Received: by 2002:a17:907:c20d:b0:7ad:d063:902f with SMTP id ti13-20020a170907c20d00b007add063902fmr6130396ejc.0.1670601012527; Fri, 09 Dec 2022 07:50:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1670601012; cv=pass; d=google.com; s=arc-20160816; b=yLkB3AylrpA8Am43BIT/JOFHUr3s+GnR4NvEbBARnDpVvFDs1sBbMlHzBmhmnG+GAA PfrZ1QjM2zs3D28AOGfHNA1He4hUQGoMwlOjamjU/kzp4lKaahWaeGV/xumcWY57CahD GlqZmsRD1vxRI0mHusctEa6vzcH4bqvFyDlLIG1S2dwlmjPHig1k+asZXsyiNQ/YllYT qjeGIMZAzHPlkF1O2tYBj287lRedxI/yjwck+GAaCb4SCVciWVL98o/FM5HWsrT4BNC0 xkjaF1qUQnriMdeBI95bwOTdWx7F3X+SOm/Tesl8rRvPNbR+agcHzNhJk+uD4KWgi6aP bxTw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature:dkim-signature; bh=JHkwOogfG2FY2JaA3Vbnp7WcKjjAH/3tJMmW92wcUtU=; b=B2VVW7vcownpQhc8fohnitYXtVmWlrAP0YSzz5pS//yEg8w5spq8Pus1w34OaR/C9S tEe6qqiMuri+VBxz62IM22QSiCrbmIyx50Q7Kr8FttYe+jh7Q1aW8BKJ7DkP6mOwt33H d+wsbjteYqoaPdMGlKCJ9DVRGedCnSOERs6xBC5dzro7PoKDG6twS+ensxf0ldOfKHZk CYHKZ3fVFWlY2u0DTjydOWAuZV/EGf+8f1evCL9xgNv8Fwq5F65B9Np73efSyow36jNw 1Go048u5o99we12lKt5R1quhuL/1oN3J0vvS7re/GK7Dq67hqplKduXzRiY29WNaRR/y 3miA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="Mp9b7/bc"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=DXnAJ1SN; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hs36-20020a1709073ea400b007c10640d8e0si55196ejc.723.2022.12.09.07.49.45; Fri, 09 Dec 2022 07:50:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="Mp9b7/bc"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=DXnAJ1SN; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230110AbiLIPo4 (ORCPT + 99 others); Fri, 9 Dec 2022 10:44:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229460AbiLIPoy (ORCPT ); Fri, 9 Dec 2022 10:44:54 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9579027938; Fri, 9 Dec 2022 07:44:53 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B9EwuYl012891; Fri, 9 Dec 2022 15:44:21 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2022-7-12; bh=JHkwOogfG2FY2JaA3Vbnp7WcKjjAH/3tJMmW92wcUtU=; b=Mp9b7/bcmFMbyitI4ha/x4fJFkJLOyLSvZy8oCcg0ubET9sc6SiCcsHAxnI5RyqaYNM5 tRanOjNVgrq/hJw8iMalhyCNKq7QWcODSdJIuqLbofxvsKdDiBTBPv9Y0B/hEec2h/Dw VeMpW7N5zk0K5cSWFtaGPCXrPkO0UtvitGTanVnVqtACZYLcEP1L9YZGiyFLqCtzkjCv 4LKc4yf9pkhG7n7UDmx/anf2I6hUKL60n2Jrb5kliApAIPzdrMN4Z+VUzKyVc+ifUhsW IqcoJbULY2X+1pxfHf38CQTBHplVT32+IV0xBGfB+OWxpWdWuNBPuibgKBOeLYE0C4IQ Cw== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3mauduwawj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 09 Dec 2022 15:44:21 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2B9EASQH006731; Fri, 9 Dec 2022 15:44:20 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2170.outbound.protection.outlook.com [104.47.55.170]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3maa81gvrg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 09 Dec 2022 15:44:20 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WIiHSkOjBn8ezYUvJAgWJhEeOTFpjGLM/D7VITvaLZ8zVWRkesDLCWI8kkOMAfqnlk2LG+sE/k4J13csrPDWQ4fckoHT8HpFxom46vZV0Tn7vTAs0HD2IKO8lBJ8/g9C3Yq73EPFoN2PZCoh1sDYbHznU5JSzTjcVLBPl6yMFGQGkPZ74pb1l6eiBbPcNp4SuRhD3FadCZk8K6mvBe0uykn0IdYEtzK5dE9tyCnu1zXpAfAw/63OAoavfJTc8473k3c3vm8Uaz94PyDSALiv2JEDC/kUNR2+lzTbiBjVdQdt++QjbHTOgPkA92LY8jkyHK/9OGTZiKRvZTFXMwWwHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JHkwOogfG2FY2JaA3Vbnp7WcKjjAH/3tJMmW92wcUtU=; b=XB64+6vT+h4RCPA6ZBkfs611jEUxUF3p14j2Cn/8b3D95u+hjrKPyuN5rEvntXUoixVVn0rgV32E1nxbJ23gBTe7LoMCc5pkIsIfHrdZpp5jgbjWZtR0p8KbuykDS/eBUnqnS6Q9KPe8cS73mH/ct9WKc+jtWOxKOtOaAlk4A9ntiP3nhNoI0pM6lqsG570sBRmxKCfbHp77eCFmULDghQG1El7V53XjZeSytJ71C2cs8v78j+Yu2w8Sj3vaPY7mLxNswBm1J1Hb3MBiNwACl7gGT1vra2p6m9jDQEL6d+4uj9Jma8Mnm01T2jh6b/X3HqftEYUXkzO1293zEDvY6w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JHkwOogfG2FY2JaA3Vbnp7WcKjjAH/3tJMmW92wcUtU=; b=DXnAJ1SNQ4donS8Cb8he/Q6rkB6KosoHAv90dAEE+uxIZhhtI7ceTS+pmtxJT1i34IMeIt/UyJVHOZzqfKO9wARwJQ8Lw2b9EkZ8D1HDkqIhR25+U0PRrA73xLA3u6JYkJgd09z1R3qFtCdyeyNHBnJYmdcFBhn9g0F/q/Txr2M= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by PH0PR10MB5896.namprd10.prod.outlook.com (2603:10b6:510:146::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.18; Fri, 9 Dec 2022 15:44:17 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%4]) with mapi id 15.20.5880.016; Fri, 9 Dec 2022 15:44:17 +0000 From: Eric Snowberg To: Mimi Zohar , Coiby Xu , Jarkko Sakkinen CC: David Howells , David Woodhouse , "herbert@gondor.apana.org.au" , "davem@davemloft.net" , "dmitry.kasatkin@gmail.com" , "paul@paul-moore.com" , "jmorris@namei.org" , "serge@hallyn.com" , "pvorel@suse.cz" , "noodles@fb.com" , "tiwai@suse.de" , "bp@suse.de" , Kanth Ghatraju , Konrad Wilk , Elaine Palmer , "keyrings@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-crypto@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" Subject: Re: [PATCH v2 00/10] Add CA enforcement keyring restrictions Thread-Topic: [PATCH v2 00/10] Add CA enforcement keyring restrictions Thread-Index: AQHZCl8bkpg6/vUjKkKDWz2KOwAYDq5lXJMAgABY3gA= Date: Fri, 9 Dec 2022 15:44:17 +0000 Message-ID: <5AF81A9E-C4E7-4BEB-86E1-4D2DB613FBF1@oracle.com> References: <20221207171238.2945307-1-eric.snowberg@oracle.com> <20221209102612.wa3oftpqupzplx6h@Rk> In-Reply-To: <20221209102612.wa3oftpqupzplx6h@Rk> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3696.120.41.1.1) x-ms-publictraffictype: Email x-ms-traffictypediagnostic: CH2PR10MB4150:EE_|PH0PR10MB5896:EE_ x-ms-office365-filtering-correlation-id: c3b3d20e-3fb1-4315-16e0-08dad9fc3b1d x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 8TS2NEwWQoNr67nca7U+53QJHAbqd4GOUz4NnT2TnPip/WEGjFRIGsiVnt93kbx21+mHmokMWNeFqLEDLoHUccp4ww1nLxmUw+fln/6BxwMWceI6T6G7FZSmjyFQekrcKhW6RyEhGQ804YimppYuwQNp0Ye0ltgrJq7LJEoS0pH/rE5b+6KbYCGelrCqtVg2aVO2Z93ieuZ8V4NrxxB10qCi4xGEqi58K4fQwkv5SSKzyZ2/SmbvrU5xhk5vtDP/2q2frFpK1fXQqnHOLm1vpwPWx5lJcdeaQ4uMmC6nHAodNFsjwW30Z5aGhlA6i+MicyGopxG/luHtoViB6dPs186Xx2DCnEFdkBCM4c2udsJhbeOKWnzBckxw2zU+nIA/0bAb5AMOQ/NhrJtQibN+W12PAjqeSJkM79A/j3easxZP8AyYtlgpzPnuJnlvQIVQ6eVk8/JVCG0k0mrhoZdE20AMmJp+VXZRKuiitI49pN0PSFAMPVojEPWumYXIH4FC4qZ432UCABWQhNmZPjMZJ3grRRt4NnKUhqF/FqylQMpyw48jA0DCmkkBIJapVzkCn6tiZY2/In7YvhMVL7o+34O0Y+T6fvRV8JBZJnRqKKou1PICYoljYvWQw397nTBovfhRCCH23roRR/aBNHp0isn10DwSgt81eheAu8I9wrDfLCyCWAjAgyqDuzy65/ADGR1s9VA9XLzJhivnM4fAoisadSsD6VgLwWNTuJOM8fmoDmrJmt0fCSkM+3r61L0vGOW+QYn46qkQBTVKo5tayArPKZ1wVttYUnRcbZdadcI= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(346002)(376002)(396003)(136003)(366004)(39860400002)(451199015)(36756003)(38070700005)(26005)(6512007)(2616005)(186003)(2906002)(8676002)(54906003)(110136005)(316002)(86362001)(71200400001)(6486002)(33656002)(478600001)(53546011)(6506007)(966005)(8936002)(122000001)(4326008)(38100700002)(66946007)(66556008)(64756008)(66476007)(66446008)(76116006)(91956017)(44832011)(83380400001)(7416002)(5660300002)(41300700001)(45980500001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?kwO0l4hUUBXeaGpj7S3QndmCEjG9NOd6ituvCRGQ/Bqg0fkpfiQkvINWAOIr?= =?us-ascii?Q?hNcJe3ctJWELiWs4cVU2QZeA3x2hJsRrfZkGXUDivyqh8T48xAMdZ9u8K++K?= =?us-ascii?Q?KNH4v6XsOzkqW0q/DcgxEdPzdZuZvtk82dKIDv+jnU12WDb7ey17B9Lqo+ja?= =?us-ascii?Q?oHU9fumNbz87yIe6j9NCo7npcCHWSIA+3SOq9TlYnaMDVsTcEy3rktBJ4zb2?= =?us-ascii?Q?mu5G+T1xvZFutxCw4O43PQfooPCfUQdUejMwdJCqpgdVIfSNVVG+LMPRbdTl?= =?us-ascii?Q?7D5IZFJI/E7cgJxeYIJKq5eQQmripTQBQs/sfNpYS3xzbB5JrPfvO6lJhgwJ?= =?us-ascii?Q?CQ1cpukn5KgjGpuyQP6+EkTc54y9QKcZKJBAROcJ/Q3cXM8O7qQumhHr6TYb?= =?us-ascii?Q?VL6Irnlek/wUiKaL+t0Rk55lZ2yxUg/LyawlNJAxYhBHJGS9cGuU2RNUmC4D?= =?us-ascii?Q?/mYToID+qJroiwKWrlrF1JpUmO/Ddmx9TT4y3yf2vVuT/jrmqLvuYTPU60VD?= =?us-ascii?Q?6AHgT5SeKZxA95WSiE11rxLzFKCZKMjQFPGjPYJ96GvgBJh90DrzAHKg39Ln?= =?us-ascii?Q?LMcerFC04Lw48CLtckNbjTOCMXOyyx+hPA355ydK1BKNuQfXZc5OReC7ohry?= =?us-ascii?Q?9DAOh1N10q/EnIvdtu3uy+rXdsJnE/P6sjS9kWbNwtJZk9lPzjbfRIkL73Sg?= =?us-ascii?Q?q/iTN8/xrF553WCcEY1E6o+4IaX1xNzfBweH3xa1wPioD+hVNYfyzb3kZK1Z?= =?us-ascii?Q?fv/aycYqShLeSUJDRRKNUDGgDaYMByAWWnjkEjJy8oUjWlN68cOiFZNoD4sb?= =?us-ascii?Q?fCdD96XcupP4uSfH9zW2tz/+JyJpcEr8UoV9HIiGwMPCIUsm5N8lml973Dbf?= =?us-ascii?Q?f4BGz9UBYzEVilXDIhOgF26fces5FIAG/TxF3ALWUmDIcFulgIlpJ2an6Svw?= =?us-ascii?Q?M8wnYnAyC8YaExeVafkk4a1t+Awdo6S61W2GMIdEeaSfU23WqGannxQ7OPEA?= =?us-ascii?Q?bCPLX8/1swC1vEpmC7m6QsxJfxfDa9v9jvnRwMTr+9p+DKs2uarqXG6mKSkF?= =?us-ascii?Q?Y6aOhArEKsQDiwCg92dvk9znGOUJtH0bTnXzHVuyj89UJyLH4Q75il3U+CuI?= =?us-ascii?Q?FpxbofMddIK3EAlEtZ7kv+y70bdxRZNFIwctQTcCgjPMchACZj11DPOwnx5c?= =?us-ascii?Q?GGUOq4FSwackPQ57A2296ODiPhk26KrnvLIxKpyj5kVjnlaOXSDcXcnbEPof?= =?us-ascii?Q?qqAbvk+G+oc1Qp5VqhRmbqKVrEj51e8QbfeFzzj7rycT4RKmNYB5nHYrVa7s?= =?us-ascii?Q?ESB1J/D9S8U7yv8CRyNfEj6hyTiCU43sp2ryRTAQqTyL4YKoq3uWHVv8jU9W?= =?us-ascii?Q?z1lbHx3akbeIcgtT1O8keZt1C8n7oM7jc2EPMY5bhGd+QrwoVp6xJoWmg6Qf?= =?us-ascii?Q?6XOfBVFu4zhLDdl8oJfVKAYb1WETCK2exhjaZIzzPWpHJAL3g7iNYEEK8cbG?= =?us-ascii?Q?ttVitxXgIJ43sEV+shApLdvWQl1Qoy7pPvYgGvMtKAIhnQO1rNiVl6s0wOst?= =?us-ascii?Q?lJEbJz/n568Nxa2N0qZ98zKdtRHJVWEZdvRlXW+gqt9DlCel0T6vdQ1Mdg7O?= =?us-ascii?Q?lg=3D=3D?= Content-Type: text/plain; charset="us-ascii" Content-ID: <2D94D23D2990B84B90D67B3D2EF05FB8@namprd10.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c3b3d20e-3fb1-4315-16e0-08dad9fc3b1d X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2022 15:44:17.2625 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dUpSL1qLL/vBQYAyHVGicg8uLXrta4Hlb8w9PZYyoNEyLbmxEC8kIUyWUrA/MFHxlFhseou8Da8f9FKF8GwznD11oJlG6l8hW98K/N+ckAc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5896 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-09_08,2022-12-08_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=845 malwarescore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212090121 X-Proofpoint-ORIG-GUID: wjjGgnpYtUYqSFN5WzRGqYMqT-Q3u9Q7 X-Proofpoint-GUID: wjjGgnpYtUYqSFN5WzRGqYMqT-Q3u9Q7 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org > On Dec 9, 2022, at 3:26 AM, Coiby Xu wrote: >=20 > Thanks for your work! The patch set looks good to me except for the > requirement of an intermediate CA certificate should be vouched for by a > root CA certificate before it can vouch for other certificates. What if > users only want to enroll an intermediate CA certificate into the MOK? This question would need to be answered by the maintainers. The intermedia= te=20 requirement was based on my understanding of previous discussions requiring there be a way to validate root of trust all the way back to the root CA. > If this requirement could be dropped, the code could be simplified and > some issues could be resolved automatically, Agreed. I will make sure the issue below is resolved one way or the other, once we have an agreement on the requirements.=20 > 1. "[PATCH v2 03/10] KEYS: X.509: Parse Basic Constraints for CA" added > a root_ca filed to a certificate to indicate the subject of the > certificate is a CA. The name root_ca implies it's also a root CA. But > according to [1], both an intermediate and root CA will have > root_ca=3DTrue. For example, the intermediate certificate of > https://www.kernel.org/ has "Certificate Authority=3DYes" in the basic > constraints. Btw, a root CA certificate by definition is self-signed, > so the following code in "[PATCH v2 05/10] KEYS: Introduce a CA > endorsed flag" looks a bit strange to me, > if (cert->kcs_set && cert->self_signed && cert->root_ca) > prep->payload_flags |=3D KEY_ALLOC_PECA; >=20 > 2. Since an intermediate CA certificate also has root_ca=3DTrue, > "[PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as > endorsed" won't work as intended i.e. this following else branch > will never be reached, > else if (!cert->self_signed && !cert->root_ca) > prep->payload_flags |=3D KEY_MAYBE_PECA; >=20 > 3. I see nowhere public_key->key_is_ca is set to true for an intermediate > CA certificate after it gains the KEY_ALLOC_PECA flag. So it will fail > restrict_link_by_ca even if the KEY_MAYBE_PECA flag is added. >=20 > [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 Thanks for reviewing the series.