From 65c8d66575ebfe1f1e90367923a8255c45530cd9 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@debian.org>
Date: Mon, 27 Jun 2011 19:54:39 -0400
Subject: [PATCH] Add data for trust anchor ID card

---
 design/trust-anchor.mdwn | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/design/trust-anchor.mdwn b/design/trust-anchor.mdwn
index d2dfdf2..ed0a74d 100644
--- a/design/trust-anchor.mdwn
+++ b/design/trust-anchor.mdwn
@@ -68,6 +68,15 @@ very consistent on this point.
 * Storing a certificate hash  tends to create operational complexity if
   there is not an update mechanism when servers need to rekey
 
+## What needs to represent a trust anchor on an ID card
+
+* An optional base64-encoded CA certificate (a relatively long base64 string)
+* An optional subject name constraint (string)
+* An optional subject alternative name constraint (string)
+* An optional hash of a server certificate
+
+The server certificate hash field is mutually exclusive with the other fields.
+
 
 ## An option
 
-- 
2.1.4