The help stuff you note does not tell what "Use system policy"
these are hard coded, there must be a description of what they are
I think we are having a hard time communicating what the word
Think of a "policy" as a built-in algorithm for determining whether a
certificate is trusted for a particular use.
For example, here's oversimplified pseudo-code for the built-in SSL
if (the cert chain verifies back to a root in X509Anchors) then
if (the cert's common name is equal to the hostname of the
if (the extended key usage field allows signing) then
return (not TRUSTED);
That is the hardcoded part, and the description of those policy
requirements is listed the Help article I mentioned. Evidently the
article could stand some clarification.
"Use system policy" means "use the system's built-in policy
definition." Or, "do what the system would normally do by default
when evaluating this certificate."
If "Use custom settings" appears, how do I find out what the user
"Use custom settings" only appears in the first-level menu under
trust settings; it means, "at least one of the following policies has
been changed by the user." If you look at the list of popup menus for
the individual policies which follow, you'll notice that at least one
of them will *not* be "Use System Policy". The first menu is
basically a UI shortcut that lets you change all of the policies
below it at once, rather than having to do them all individually.
To find this information programmatically, you'd get the list of
possible policies (SecPolicySearchCreate, <Security/
SecPolicySearch.h>) and iterate through it, calling
SecTrustGetUserTrust() for each policy and the certificate of interest.
From: Ken McLeod <email@hidden>
Date: Mon, 26 Jun 2006 13:49:55 -0700
To: Paul Nelson <email@hidden>
Cc: Apple CDSA <email@hidden>
Subject: Re: Trust Settings / Use System Policy or Use System
Select "Keychain Access Help" from the Help menu, then search for
"trust policies". The article you want is titled "Certificate trust
policies"; it describes the built-in policies and what they mean.
Can someone tell me where the system policy/settings live? This
a pretty basic question to be asking for someone who has been
with the keychain for quite a while.
The "system policy" settings are hardcoded in the trust policy
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden