[kmf-discuss] PSARC 2006/283 Certificate & PKCS#11 PAM, module

Darren J Moffat Darren.Moffat at Sun.COM
Fri Apr 4 02:23:40 PDT 2008 

Wyllys Ingersoll wrote:
> I disagree.   For many weeks now the submitter has answered the 
> questions and made all of the corrective actions requested by the ARC on 
> this case and now there is talk of derailing it?    I don't think any 
> architectural issues were found with the project.  The documentation is 
> weak, but the submitter has agreed to work with the open source group 
> that owns it to address the doc issues. 

I'm with Wyllys on this.  The quality of documentation isn't really an 
ARC concern.  The ARC's concern is are they presented with sufficient 
specification to understand the architecture.  Consider that for most 
projects we never see the actual documentation (other than sometimes 
draft man pages) at ARC review time.

> The "auditable administration" question was answered already - there is 
> no auditable interface for any PAM configuration files or any other 
> files that are managed via "vi" (or whatever editor) for that matter.

I think the issue is more about the modules own config file, however 
there are recently approved ARC cases for PAM modules that use $EDITOR 
as the admin interface.

Also there are plenty of other cases recently that have security 
relevant configuration files that have no admin interface - consider 
things like SSL/TLS configuration of Apache/PHP etc.

> Discussions over how best to merge FOSS and ARC needs is something that 
> should be discussed outside of this case. 
> 
> The project team has been playing fetch-a-rock for too long.  The final 
> specs have been submitted, I think Darren is planning on putting them in 
> the case dir very soon.   This case should be approved so the team can 
> move ahead.

The only difference was the removal of the pkc11_event_manager.

Given the case has been derailed as fast-track submitter I'm taking case 
ownership of this.

Since the project team has no intention of changing the specification or 
playing further rock fetching games I see no value in having a meeting.

I'm calling for an EMAIL VOTE now.

If there are TCRs please articulate them very specifically in a form 
that can realistically be implemented as part of your reply.

-- 
Darren J Moffat

More information about the kmf-discuss mailing list