Update with new trust module information.

3 files changed, 92 insertions, 37 deletions

diff --git a/website/index.html.tmpl b/website/index.html.tmpl
index 4053bca..f4d695c 100644
--- a/website/index.html.tmpl
+++ b/website/index.html.tmpl
@@ -23,8 +23,8 @@
 		module.</p>

 	</li>

 	<li>

-		<h2><a href="system-module.html">Project: Trust Module</a></h2>

-		<p><a href="system-module.html">PKCS#11 Trust Module</a> 

+		<h2><a href="trust-module.html">Project: Trust Module</a></h2>

+		<p>The <a href="trust-module.html">PKCS#11 Trust Module</a> 

 		provides access to system certificates and trust policy.</p>

 	</li>

 	<li>

diff --git a/website/system-module.html.tmpl b/website/system-module.html.tmpl
index b324b9c..a3683ca 100644
--- a/website/system-module.html.tmpl
+++ b/website/system-module.html.tmpl
@@ -5,40 +5,6 @@
 {% block content %}
 <h1>Project: System Storage Module</h1>
 
-<p>This is a PKCS#11 module that will expose read-only storage of
-<a href="trust-assertions.html">trust assertions</a>, certificates and other
-objects to libraries and applications.</p>
-
-<p>The typical use case for this module is easy access to the system configured
-trusted root anchor certificates. Currently some other PKCS#11 modules already
-provide access to system certificates and trust assertions. But they do this
-in a desktop specific manner, for example Gnome Keyring.</p>
-
-<p>Coded in plain C so that it can be integrated into any library or app.
-Accesses information owned by root and configured by a system administrator
-or distro creator. These PKCS#11 objects are read-only and so don't need to go
-through a coordinating daemon. Thus we can implement an efficient, reliable
-lookup for these system certs and other objects, with less moving parts.</p>
-
-<h2>Documentation</h2>
-
-<p>Still in proposal/conceptual stages.</p>
-
-<h2>Source Repository</h2>
-
-<p>No source available yet.</p>
-
-<h2>Implementations and Integration</h2>
-
-<p>Still being planned.</p>
-
-<h2>Contributing</h2>
-
-<ul>
-	<li>Mailing list:
-		<a href="http://lists.freedesktop.org/mailman/listinfo/p11-glue">p11-glue@lists.freedesktop.org</a></li>
-	<li>Bugs:
-		<a href="https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue">bugs.freedesktop.org</a></li>
-</ul>
+<p>This has been renamed the <a href="trust-module.html">Trust Storage Module</a>.</p>
 
 {% endblock %}
diff --git a/website/trust-module.html.tmpl b/website/trust-module.html.tmpl
new file mode 100644
index 0000000..e3de277
--- /dev/null
+++ b/website/trust-module.html.tmpl
@@ -0,0 +1,89 @@
+{% extends "base.incl" %}
+
+{% block title %}Trust Storage Module{% endblock %}
+
+{% block content %}
+<h1>Project: Trust Storage Module</h1>
+
+<p>This is a PKCS#11 module that exposes read-only storage of system
+certificates and trust policy. It loads the certificates and trust
+storage from a directory of files.</p>
+
+<p>Crypto libraries are able to use this as a shared source of certificate
+authority anchors, black lists, and other locally stored system trust policy.</p>
+
+<p>There is work going on to define a comprehensive representation of
+this <a href="sharing-trust-policy.html">shared trust policy</a>. Once such a
+solution matures we hope to implement it in this PKCS#11 trust storage module.</p>
+
+<p>Also included will be a tool that can be used to extract certificates in
+various formats for crypto libraries not (or not yet) able to read from this
+PKCS#11 trust module directly.</p>
+
+<p>A goal is to have minimal dependencies, and be crypto library agnostic so this
+can be used by any library or app. Accesses information owned by root and configured
+by a system administrator or distro creator. These PKCS#11 objects are read-only
+and so don't need to go through a coordinating daemon. Thus we can implement an
+efficient, reliable lookup for these system certs and other objects, with less
+moving parts.</p>
+
+<h2>Source Repository</h2>
+
+<p>So far <a href="http://cgit.freedesktop.org/p11-glue/p11-kit/log/?h=trust">the code</a>
+lives in the <tt>trust</tt> branch of the <tt>p11-kit</tt> repository:</p>
+
+<pre>
+$ git clone git://anongit.freedesktop.org/p11-glue/p11-kit
+$ cd p11-kit
+$ git checkout trust
+</pre>
+
+<h2>Status</h2>
+
+<p>An initial implementation of the module is available, and you can try it out. A dependency
+on libtasn1-devel is required to build the PKCS#11 trust module.</p>
+
+<pre>
+$ sh autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 --enable-debug \
+	--with-system-anchors=/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/anchors
+$ make
+$ sudo make install
+$ sudo mv -v /usr/lib64/libnssckbi.so /opt/libnssckbi.so.orig-nss
+$ sudo ln -sv pkcs11/p11-kit-trust.so /usr/lib64/libnssckbi.so
+</pre>
+
+<p>Now place some certificates in the <tt>--with-system-anchors</tt> location(s).
+Right now, as input, you can use DER, PEM or OpenSSL style 'trusted
+certificates'.</p>
+
+<p>For example you can tweak some trust policy bits like so:</p>
+
+<pre>
+$ openssl x509 -addtrust serverAuth -addreject clientAuth \
+	-in /path/to/my-ca.pem -out /etc/pki/tls/certs/anchors/my-ca.pem
+</pre>
+
+<p>Now you can run apps like Firefox and see the certificates appear in the
+Certificate manager and are trusted as appropriate. You can use a command like
+this to see some debug output:</p>
+
+<pre>
+$ P11_KIT_DEBUG=all firefox
+</pre>
+
+<p>The extraction tool is not yet ready.</p>
+
+<h2>Documentation</h2>
+
+<p>Still in proposal/conceptual stages.</p>
+
+<h2>Contributing</h2>
+
+<ul>
+	<li>Mailing list:
+		<a href="http://lists.freedesktop.org/mailman/listinfo/p11-glue">p11-glue@lists.freedesktop.org</a></li>
+	<li>Bugs:
+		<a href="https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue">bugs.freedesktop.org</a></li>
+</ul>
+
+{% endblock %}