[kmf-discuss] Re: Solaris Key Management Framework

Wyllys Ingersoll wyllys.ingersoll at sun.com
Wed Jan 24 17:48:10 PST 2007 

Chris Newman wrote:
>  Unfortunately I missed the talk, but I have a few questions:

No problem.

BTW - I added "kmf-discuss at opensolaris.org" to the CC list
as this is good information and can be discussed in the open.

>
>  First, most Sun applications are cross-platform and will have to
>  provide a key management interface for customers.  As long as KMF is
>  Solaris-only, it actually makes the key/cert management problem worse
>  by introducing yet another API and interface that can't be used
>  everywhere in a real world deployment. What are your cross-platform
>  plans?


I think it is unrealistic to expect other platforms to adopt our system,
as much as I would like them to.    The code is available on OpenSolaris
under CDDL, so theoretically, it could be ported, but I haven't heard
of anyone who wanted to do so.  Maybe once we get more traction
internally, we will focus on getting some external adoption.  I think
it will be a long process.


>
>  Second, some Sun applications uses the Java certificate framework.
>  Does KMF support that or have plans to do so?

There is overlap with the Java keystores as long as they are not using
the private serialized storage method.  The KMF tools can read PKCS#12,
PEM, and DER files that the Java tools use so it is possible to use
things like 'pktool' to look into Java keystores (as long as they are not
using the serialized store, obviously).  I have had some discussions with
the Java team about areas of overlap and cooperation, but we haven't
yet nailed down a plan of action.

>
>  There are three possible outcomes for Sun
>  middleware/JES/applications:
>
>  1. Each Sun product gives different advice for key management, some
>  bundle their own CLIs/GUIs/APIs and no cross-platform product
>  recommends KMF.

Sort of like how it is currently (or pre-KMF).

>  2. Sun middle-ware/JES/applications get together and
>  build a cross-platform replacement for certutil/pk12util/etc, and
>  recommend their tool instead of KMF.

pktool (as of Nevada build 53 and an upcoming S10 update release)
can already replace most of the functionality of those utilities.
We would like to have it promoted as "the tool" for managing JES
keystores since it is actually supported and documented whereas the NSS
"certutil" is not.


>  3. KMF is built cross-platform
>  for Sun middleware/JES/applications and recommended across the board.

In a perfect world...


>  Which of these three outcomes do you want?  Personally, I think
>  option 3 is the right direction for Sun, but one of the other two
>  options will happen unless your team wants 3 to happen.

I would like 3 to happen, but I don't see where we have the resources
to make it so.  I think option 2 is a decent compromise position to take,
at least for now.

thanks,
   Wyllys

More information about the kmf-discuss mailing list