diff options
author | Stef Walter <stefw@redhat.com> | 2014-09-10 08:54:42 +0200 |
---|---|---|
committer | Stef Walter <stefw@redhat.com> | 2014-09-10 08:54:42 +0200 |
commit | 6d3ca034aa5ee8474bf194429be152067f82fde4 (patch) | |
tree | e89a0a99a1326d8e0de183227b310cbcb0db4ba9 | |
parent | cea1bc82e4c26bce9a10fbf194ac8be88cb84fad (diff) |
Use the term 'attached extensions'before-move
The term 'stapled extensions' is confusing because it overloads
terminology used with OSCP stapling.
Suggested by Daniel Kahn Gillmor.
-rw-r--r-- | specs/storing-trust-model.xml | 54 | ||||
-rw-r--r-- | specs/storing-trust-pkcs11.xml | 14 | ||||
-rw-r--r-- | specs/storing-trust-retrofit.xml | 4 | ||||
-rw-r--r-- | specs/trust-assertions.xml | 2 | ||||
-rw-r--r-- | website/index.html.tmpl | 2 |
5 files changed, 38 insertions, 38 deletions
diff --git a/specs/storing-trust-model.xml b/specs/storing-trust-model.xml index ba4537a..7f1c721 100644 --- a/specs/storing-trust-model.xml +++ b/specs/storing-trust-model.xml @@ -114,8 +114,8 @@ This document wishes to define such a standard.</para> </sect2> -<sect2 id="concept-stapled"> - <title>About Stapled Extensions</title> +<sect2 id="concept-attached"> + <title>About Attached Extensions</title> <para>X.509 certificate extensions usually define the ways that a certificate can be used to represent trust policy. Usually these @@ -126,29 +126,29 @@ X.509 certificate we can represent out-of-band trust policy, as defined by a system builder, administrator or user.</para> - <para>We will refer to these additional extensions as <emphasis>Stapled + <para>We will refer to these additional extensions as <emphasis>Attached Extensions</emphasis>.</para> - <para>When both standard X.509 certificate extensions and stapled extensions are - present, the stapled extension is to be used instead of the certificate - extension with the same OID in the certificate itself. In this way stapled + <para>When both standard X.509 certificate extensions and attached extensions are + present, the attached extension is to be used instead of the certificate + extension with the same OID in the certificate itself. In this way attached certificate extensions override policy defined in the certificate, if any.</para> <para>This has the implication that if only one portion of a certificate extension - needs to be adjusted by a stapled certificate extension, that entire + needs to be adjusted by a attached certificate extension, that entire extension will be overridden for that certificate. This is intentional. Each extension that contains trust policy should be treated as a whole unit of trust policy. This includes changing the critical field of an extension. This is part of the whole.</para> - <para>For each certificate, there may not be more than one stapled certificate extension of a given + <para>For each certificate, there may not be more than one attached certificate extension of a given identifier or type. There is no way to automatically merge certificate - extensions. It may be possible for applications which store stapled + extensions. It may be possible for applications which store attached certificate extensions (such as a management interface) to merge certain extensions in some way. However that is out of the scope of this document.</para> - <para>Stapled certificate extensions are associated with the subject public key info + <para>Attached certificate extensions are associated with the subject public key info of the anchor or certificate.</para> </sect2> @@ -338,7 +338,7 @@ anchor in a certificate chain with a length longer than one) the BasicConstraints extension must be present with a isCa field set to TRUE. This extension can be present either in - the certificate or stapled to it.</para></listitem> + the certificate or attached to it.</para></listitem> </itemizedlist> </sect2> @@ -402,12 +402,12 @@ </itemizedlist> </sect2> -<sect2 id="model-stapled"> - <title>Set: Stapled Extensions</title> +<sect2 id="model-attached"> + <title>Set: Attached Extensions</title> <para>This is a known set of certificate extensions that should be applied to a public key, which define or adjust trust policy for it. Items in the - stapled extensions set contain the following fields:</para> + attached extensions set contain the following fields:</para> <variablelist> <varlistentry> @@ -427,37 +427,37 @@ characteristics:</para> <itemizedlist> - <listitem><para>Stapled extensions are associated with a public key.</para></listitem> - <listitem><para>Multiple stapled extensions may be present for a given public key.</para></listitem> + <listitem><para>Attached extensions are associated with a public key.</para></listitem> + <listitem><para>Multiple attached extensions may be present for a given public key.</para></listitem> </itemizedlist> <para>Implementation notes:</para> <itemizedlist> - <listitem><para>To lookup all stapled extensions for a given certificate + <listitem><para>To lookup all attached extensions for a given certificate or public key, callers should perform a lookup operation on this set using the public key info as the lookup field.</para></listitem> <listitem><para>Callers which are validating certificate chains should, - retrieve all stapled extensions for each certificate in the chain - and use those stapled extensions as if they had been present in - the respective certificate. If a stapled extension has the same - extnID value as one present in the certificate, the stapled + retrieve all attached extensions for each certificate in the chain + and use those attached extensions as if they had been present in + the respective certificate. If an attached extension has the same + extnID value as one present in the certificate, the attached certificate extension should be used instead.</para></listitem> - <listitem><para>Callers storing stapled extensions in the store, should never + <listitem><para>Callers storing attached extensions in the store, should never store duplicate extensions in the set that contain the same extnID value, just as you would not place multiple extensions in a certificate with the same extnID.</para></listitem> - <listitem><para>To change whether a certificate is an authority or not, a - stapled BasicConstraints extension is added with the relevant + <listitem><para>To change whether a certificate is an authority or not, an + attached BasicConstraints extension is added with the relevant isCa and pathlen fields.</para></listitem> - <listitem><para>An ExtendedKeyUsage or KeyUsage stapled extension may + <listitem><para>An ExtendedKeyUsage or KeyUsage attached extension may be added to a certificate when the system builder or administrator wishes to define or override which purposes a certificate can be used for (eg: server authentication, email, etc.)</para></listitem> <listitem><para>In combination with having a certificate an anchor, these - stapled extensions may be used to constrain for what purposes + attached extensions may be used to constrain for what purposes anchors can be used.</para></listitem> - <listitem><para>A NameConstraints stapled certificate extension may be + <listitem><para>A NameConstraints attached certificate extension may be added to a certificate when the system builder or administrator wishes to define which end entity names can be signed by a given certificate.</para></listitem> diff --git a/specs/storing-trust-pkcs11.xml b/specs/storing-trust-pkcs11.xml index 1aff81a..a41a31b 100644 --- a/specs/storing-trust-pkcs11.xml +++ b/specs/storing-trust-pkcs11.xml @@ -9,7 +9,7 @@ It is often used with smart cards.</para> <para>Here we outline how to use PKCS#11 as a store for trust policy, containing sets - for anchors, blacklist, and stapled extensions.</para> + for anchors, blacklist, and attached extensions.</para> <simplesect id="pkcs11-store"> <title>Store representation</title> @@ -220,15 +220,15 @@ </simplesect> <simplesect> - <title>Set: Stapled Extensions</title> + <title>Set: Attached Extensions</title> <para>A new object class is defined of type <literal>CKO_X_CERTIFICATE_EXTENSION</literal>. Each - object of this class represents one stapled certificate extension. It + object of this class represents one attached certificate extension. It contains the following (standard and newly defined) attributes (in addition to the standard data storage attributes):</para> <para>The following attribute is set on items that are part of the - set of stapled extensions:</para> + set of attached extensions:</para> <variablelist> <varlistentry> @@ -237,12 +237,12 @@ </varlistentry> </variablelist> - <para>Items in the set of stapled extensions set contain the following fields:</para> + <para>Items in the set of attached extensions set contain the following fields:</para> <variablelist> <varlistentry> <term><literal>CKA_PUBLIC_KEY_INFO</literal></term> - <listitem><para>The public key associated with the stapled + <listitem><para>The public key associated with the attached extension. A DER encoded SubjectPublicKeyInfo sequence as defined in X.509.</para></listitem> </varlistentry> @@ -254,7 +254,7 @@ </varlistentry> <varlistentry> <term><literal>CKA_OBJECT_ID</literal></term> - <listitem><para>The DER-encoded OID of the stapled certificate + <listitem><para>The DER-encoded OID of the attached certificate extension. This is the exact contents of the extnID field in the Extension sequence.</para></listitem> </varlistentry> diff --git a/specs/storing-trust-retrofit.xml b/specs/storing-trust-retrofit.xml index b010fe6..1dea929 100644 --- a/specs/storing-trust-retrofit.xml +++ b/specs/storing-trust-retrofit.xml @@ -40,7 +40,7 @@ <title>Retrofit: NSS trust objects</title> <para>It is possible to model NSS PKCS#11 trust objects on top of an underlying storage - based on stapled certificate extensions. This will only enforce the KeyUsage + based on attached certificate extensions. This will only enforce the KeyUsage and ExtendedKeyUsage extensions. Blacklists are modeled by marking all usages as untrusted.</para> </sect1> @@ -48,7 +48,7 @@ <sect1 id="rerofit-openssl-x509-store"> <title>Retrofit: OpenSSL X509_STORE</title> <para>It is possible to model an OpenSSL X509_STORE implementation on top of an - underlying storage based on stapled certificate extensions. This will only + underlying storage based on attached certificate extensions. This will only enforce the ExtendedKeyUsage extensions. Blacklists are enforced by rejecting all usages.</para> </sect1> diff --git a/specs/trust-assertions.xml b/specs/trust-assertions.xml index 64fdf4b..73fa840 100644 --- a/specs/trust-assertions.xml +++ b/specs/trust-assertions.xml @@ -34,7 +34,7 @@ <para>Further work on this topic continues under the <ulink url="http://p11-glue.freedesktop.org/doc/sharing-trust-policy/">Sharing Trust Policy</ulink> specification, including the concept of - Stapled Certificate Extensions.</para> + Attached Certificate Extensions.</para> </section> <section id="introduction"> diff --git a/website/index.html.tmpl b/website/index.html.tmpl index f4d695c..aa097f8 100644 --- a/website/index.html.tmpl +++ b/website/index.html.tmpl @@ -14,7 +14,7 @@ <h2><a href="sharing-trust-policy.html">Spec: Sharing Trust Policy</a></h2>
<p>Sharing <a href="sharing-trust-policy.html">trust policy</a>
allows multiple crypto libraries to make coherent decsions.
- Stapled certificate extensions are a part of this.</p>
+ Attached certificate extensions are a part of this.</p>
</li>
<li>
<h2><a href="pkcs11-uris.html">Spec: PKCS#11 URIs</a></h2>
|