From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751875AbcAERBX (ORCPT <rfc822;w@1wt.eu>);
	Tue, 5 Jan 2016 12:01:23 -0500
Received: from lan.nucleusys.com ([92.247.61.126]:53890 "EHLO
	zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1751104AbcAERBJ (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 5 Jan 2016 12:01:09 -0500
Date: Tue, 5 Jan 2016 19:00:53 +0200
From: Petko Manolov <petkan@mip-labs.com>
To: David Howells <dhowells@redhat.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>, dwmw2@infradead.org,
        David Woodhouse <David.Woodhouse@intel.com>,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
        keyrings@vger.kernel.org
Subject: Re: [RFC PATCH] X.509: Don't check the signature on apparently
 self-signed keys [ver #2]
Message-ID: <20160105170052.GB28071@localhost>
Mail-Followup-To: David Howells <dhowells@redhat.com>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>, dwmw2@infradead.org,
	David Woodhouse <David.Woodhouse@intel.com>,
	linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
	keyrings@vger.kernel.org
References: <1452010098.2772.169.camel@linux.vnet.ibm.com>
 <20160105154703.31650.95150.stgit@warthog.procyon.org.uk>
 <2752.1452012031@warthog.procyon.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2752.1452012031@warthog.procyon.org.uk>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam detection software, running on the system "zztop.nucleusys.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  On 16-01-05 16:40:31, David Howells wrote: > Mimi Zohar <zohar@linux.vnet.ibm.com>
    wrote: > > > You're missing Petko's patch: > > 41c89b6 IMA: create machine
    owner and blacklist keyrings > > It should also be cc'd to the keyrings mailing
    list. [...] 
 Content analysis details:   (-1.0 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 16-01-05 16:40:31, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > You're missing Petko's patch:
> > 41c89b6 IMA: create machine owner and blacklist keyrings
> 
> It should also be cc'd to the keyrings mailing list.

Right.

If i am not terribly mistaken there's no way to revoke a certificate that is in 
a CA hierarchy with the system keyring on top of it.  Certain scenarios require 
us to revoke them as it was presented at the last year's LSS.

If x509_key_preparse() is not the right place then where shall i place the 
check?


		Petko