[kmf-discuss] PSARC/2006/283 Certificate & PKCS#11 PAM module (pam_pkcs11)
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Jan 8 05:51:16 PST 2008
Jan Pechanec wrote:
> On Tue, 8 Jan 2008, Darren J Moffat wrote:
>
>
>> I'm sponsoring this case for Huie-Ying Lee of the OpenSolaris KMF project. I'm
>> using this old case number as other ARC cases reference this case number as a
>> requirement for EOF removal of some old smartcard functionality.
>>
>
> hi Darren, during the recent discussion on kmf-discussion we came to
> conclusion that certificate to user mapping capability should be exported by
> KMF since that's quite a common thing requested by applications working with
> certificates. While there is no draft on possible implementation, using
> dynamic modules seems to be the right thing so that we could add new
> mappings on the fly, possibly just with a new section in a configuration
> file.
>
Did we conclude that KMF was going to need some new interfaces or did we
decide that it
should be done in a separate mapper? I am fine with adding to KMF if
necessary, I'm just
trying to clarify what is being done and where.
(I took psarc-ext off of the CC list above for now)
-Wyllys
> mapper modules shipped with pam_pkcs11 seem like the way to go and
> to start with. I think that another consumer of such modules might be
> Kerberos.
>
> shouldn't we then consider certificate to username mapping a generic
> feature that is going to be needed by various parts of the system?
>
> having said that then for example /usr/lib/pam_pkcs11/ for storing
> shared mapper modules wouldn't fit into that picture of generic mapper
> modules used by various consumers in Solaris.
>
> thanks, Jan.
>
More information about the kmf-discuss
mailing list