[kmf-discuss] proposal - new kmf_policy attribute

Huie-Ying Lee huie-ying.lee at sun.com
Fri Feb 1 09:16:20 PST 2008 

Wyllys Ingersoll wrote:
> Jan Pechanec wrote:
>> On Thu, 31 Jan 2008, Hai-May Chao wrote:
>>
>>   
>>> This looks good to me. I just have some comments.
>>>
>>> As TA certificate is used by kmf_validate_cert() API,
>>> with the additional TA location parameter in the KMF policy,
>>> will that impose changes to be made to kmf_validate_cert()
>>> API? Will the TA location in the policy override the
>>> existing related attributes in kmf_validate_cert() API?
>>>     
>> 	hi Hai-May, I would agree with that. I can imagine that one may want 
>> to copy the policy file and that the only thing that is different on the 
>> other system could be the location of the TA certificate.
>>
>> 	so, how I see it those attributes could be optional if already 
>> specified in the policy file, mandatory (for respective keystore types) if 
>> not present in policy file, and if present in the kmf_validate_cert() then 
>> always overriding the policy setting.
>>   
> 
> I agree, parameters to kmf_validate_cert take precedance over the policy.
>

This sounds good to me too.
 
>>   
>>>               [crl-basefilename=basefilename]
>>>               [crl-directory=directory]
>>>
>>> This also may help to be more aligned with the two KMF
>>> attributes that kmf_validate_cert() uses:
>>> KMF_DIRPATH_ATTR and KMF_SUBJECT_NAME_ATTR.
>>>     
>> 	I would also agree here. It's better if a user don't have to 
>> remember the differences for particular functions.
>>   
> 
> I think that 'crl-basefilename' and 'crl-directory' should just be 
> condensed into
> a single 'crl-pathname' which requires a fully qualified path.  I 
> dislike having
> to enter the directory and the filename separately, I wish we had not 
> done that
> in the first place.
> 

The reason that we have both "crl-basefilename" and "crl-directory" attributes
is because if the user doesn't provide the basefilename attribute, then the basefilename
will be the basename of the URI.   With this, a user can have the same basename for the CRL
file as the one in the download server.   

Maybe we should have compromised this convenience for the sake of consistency.

Huie-Ying

> I could do that for all of the policy items that refer to dir/file to be 
> consistent.
> 
> -Wyllys
> 
> _______________________________________________
> kmf-discuss mailing list
> kmf-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kmf-discuss

More information about the kmf-discuss mailing list