[kmf-discuss] proposal - new kmf_policy attribute

[Wyllys Ingersoll]

Im trying to pick up where we left off before...

The discussion was about how to best add new (optional) "ta-location"
parameter to the policy database and support it in kmfcfg.

The issue raised was whether or not we should have separate
options for the directory and pathname like we do for crls 
(crl-basefilename,
crl-directory).

My opinion is that we should allow ta-location to be specified as a full
pathname and also to deprecate the use of the "crl-basefilename" and
"crl-directory" options in favor of "crl-pathname".  We can programmatically
derive the basename and directory name from the crl-pathname (assuming it is
properly formed in the first place).

So, the new proposal looks something like this:


kmfcfg(1) will be modified for the "create" and "modify" options to support
a new "ta-location" option:

[ta-location=[file|pkcs11|nss:][filename|token_name|nss_db_direct ory]]

crl-basefilename and crl-directory will no longer appear in the "help" 
text but will
remain supported for backwards compat. The "new" crl will be specified as

[crl-filename=path_to_crl_file]

If crl-filename is present, crl-directory and/or crl-basefilename will 
be ignored.

The default kmfpolicy.xml will not need to change since it does not 
include any
of those options now.  The kmfpolicy.dtd will have to be modified to 
allow for
the new options.

Once we are in agreement, I will file a PSARC fast-track.

-Wyllys