Hi Mat,

On 10/21/2016 03:52 PM, Mat Martineau wrote:
> Verifying certificate chains was a little awkward using the
> L_KEYRING_TRUSTED_ASYM keyring type, which required verifying the
> signature and then separately adding the verified certificate to the
> "trusted" keyring.
>
> With L_KEYRING_TRUSTED_ASYM_CHAIN, the destination keyring is also
> searched for signing keys.
>
> One use model is to have two keyrings:
>
>   1. trust_keyring: contains long-lived root and intermediate CA certs.
>   2. verify_keyring: an L_KEYRING_TRUSTED_ASYM_CHAIN keyring that
>                      is created with "trust_keyring" referenced for
> 		    trusted certificates.
>
> In order to validate new certificates, they are added to verify_keyring
> in series, starting with certs that are signed by those in
> trust_keyring. Once an intermediate CA cert is added to verify_keyring,
> certs signed by that intermediate CA can also be added to verify_keyring.
> ---
>   ell/key.c | 22 ++++++++++++++++------
>   ell/key.h |  3 ++-
>   2 files changed, 18 insertions(+), 7 deletions(-)
>

All four applied, thanks.

Regards,
-Denis