[Freeipa-devel] CA certificate renewal, shared store trust settings

[Nalin Dahyabhai]

I'm working on adding to certmonger the ability to read the IPA root
certificate from the server and store it locally, and I'm looking at the
V4 shared certificate store feature [1] with an eye toward also pulling
down and processing those certificates.  Before I head down that path,
I've got a few questions about the schema that the page describes for
storing trust information.

Is the ipaKeyTrust attribute meant to be a part of the ipaKeyPolicy
object class?

Looking at the ipaKeyTrust attribute, the description suggests that it's
a directoryString that should contain one of 'unknown', 'trusted', or
'distrusted' as its value.  The syntax doesn't guarantee that, and that
ambiguity makes me a little nervous.  Any chance of tweaking the schema
to remove that possibility?

The ipaKeyExtUsage attribute, along with ipaKeyTrust values of 'trusted'
and 'distrusted', appears to map pretty directly to the sort of
information that OpenSSL stores in trusted certificates [2], but going
through the man pages for x509(1) and verify(1), I don't see anything
that obviously corresponds to an ipaKeyTrust value of 'unknown'.  What's
that value intended to signify, and how would consumers of the
certificates be expected to treat certificates from entries with that
ipaKeyTrust value?

Are there examples of what the ipaKeyUsage attribute should contain?

Is there a recommended method for mapping from this representation to
the form that we'd pass to certutil(1)'s '-t' option when storing the
certificates in NSS databases, or is the intent that it be translated
into NSS-specific PKCS#11 attributes set on those certificates?

Thanks,

Nalin

[1] http://www.freeipa.org/page/V4/CA_certificate_renewal#Shared_certificate_store
[2] http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html#openssl-trusted