RFD: Services lockdown for security providers

Martin Balao mbalao at redhat.com
Fri May 26 00:15:02 UTC 2023


On 5/25/23 19:54, Wei-Jun Wang wrote:
> So, the filter will look like this?
> 
>     SunPKCS11-Name.Signature.*,!*.Signature.*,*
> 

Yes, that's right. The filter that you showed will do the following:

1) Accept Signature services provided by SunPKCS11-Name, irrespective of 
the algorithm;

2) Block Signature services from all non-SunPKCS11-Name providers; and,

3) Accept anything else (including certificates validation).



More information about the security-dev mailing list