Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
Re: Trust Settings / Use System Policy or Use System Settings
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trust Settings / Use System Policy or Use System Settings


On Jun 26, 2006, at 2:20 PM, Paul Nelson wrote:

I don't think this is what I am getting at...

The help stuff you note does not tell what "Use system policy" means. If
these are hard coded, there must be a description of what they are
somewhere.

I think we are having a hard time communicating what the word "policy" means.

Think of a "policy" as a built-in algorithm for determining whether a certificate is trusted for a particular use.

For example, here's oversimplified pseudo-code for the built-in SSL policy:

if (the cert chain verifies back to a root in X509Anchors) then
if (the cert's common name is equal to the hostname of the server) then
if (the extended key usage field allows signing) then
return (TRUSTED);
return (not TRUSTED);

That is the hardcoded part, and the description of those policy requirements is listed the Help article I mentioned. Evidently the article could stand some clarification.

"Use system policy" means "use the system's built-in policy definition." Or, "do what the system would normally do by default when evaluating this certificate."

If "Use custom settings" appears, how do I find out what the user messed
with?

"Use custom settings" only appears in the first-level menu under trust settings; it means, "at least one of the following policies has been changed by the user." If you look at the list of popup menus for the individual policies which follow, you'll notice that at least one of them will *not* be "Use System Policy". The first menu is basically a UI shortcut that lets you change all of the policies below it at once, rather than having to do them all individually.

To find this information programmatically, you'd get the list of possible policies (SecPolicySearchCreate, <Security/ SecPolicySearch.h>) and iterate through it, calling SecTrustGetUserTrust() for each policy and the certificate of interest.

-ken


From: Ken McLeod <email@hidden>
Date: Mon, 26 Jun 2006 13:49:55 -0700
To: Paul Nelson <email@hidden>
Cc: Apple CDSA <email@hidden>
Subject: Re: Trust Settings / Use System Policy or Use System Settings

Select "Keychain Access Help" from the Help menu, then search for
"trust policies". The article you want is titled "Certificate trust
policies"; it describes the built-in policies and what they mean.

Can someone tell me where the system policy/settings live?  This
seems like
a pretty basic question to be asking for someone who has been
developing
with the keychain for quite a while.

The "system policy" settings are hardcoded in the trust policy module. 




_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden







References: 


 >Re: Trust Settings / Use System Policy or Use System Settings (From: Paul Nelson <email@hidden>)























Visit the Apple Store online or at retail locations.

1-800-MY-APPLE


Contact Apple | Terms of Use | Privacy Policy


Copyright © 2011 Apple Inc. All rights reserved.