On Tue, 2015-07-28 at 10:03 -0700, Andy Lutomirski wrote:
> 
> This will require that we take any firmware vendor's key and rewrap it
> somehow into a new X.509 blob with a key usage constraint.

There are established ways of handling those constraints as external
objects (see how NSS does it in its trust tokens, and thus p11-kit
-trust does too).

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation