[kmf-discuss] PSARC/2006/283 Certificate & PKCS#11 PAM module (pam_pkcs11)
Darren J Moffat
Darren.Moffat at Sun.COM
Tue Jan 8 04:10:50 PST 2008
Jan Pechanec wrote:
> On Tue, 8 Jan 2008, Darren J Moffat wrote:
>
>> I'm sponsoring this case for Huie-Ying Lee of the OpenSolaris KMF project. I'm
>> using this old case number as other ARC cases reference this case number as a
>> requirement for EOF removal of some old smartcard functionality.
>
> hi Darren, during the recent discussion on kmf-discussion we came to
> conclusion that certificate to user mapping capability should be exported by
> KMF since that's quite a common thing requested by applications working with
> certificates. While there is no draft on possible implementation, using
> dynamic modules seems to be the right thing so that we could add new
> mappings on the fly, possibly just with a new section in a configuration
> file.
>
> mapper modules shipped with pam_pkcs11 seem like the way to go and
> to start with. I think that another consumer of such modules might be
> Kerberos.
Which is one of the reasons that the mapper modules this case provides
are Volatile and not Committed.
> shouldn't we then consider certificate to username mapping a generic
> feature that is going to be needed by various parts of the system?
Yes we should but I don't believe anyone is ready to bring a case for
that yet.
> having said that then for example /usr/lib/pam_pkcs11/ for storing
> shared mapper modules wouldn't fit into that picture of generic mapper
> modules used by various consumers in Solaris.
Which is why this is a Volatile interface - so that when the future case
comes along to do this more generically if it needs to it can move the
mapping modules provided by this case.
I don't see anything in this case that stops the project team providing
a generic cert mapping functionality later, even based on the modules
that this case provides.
--
Darren J Moffat
More information about the kmf-discuss
mailing list