[kmf-discuss] PSARC/2006/283 Certificate & PKCS#11 PAM module (pam_pkcs11)
Jan Pechanec
Jan.Pechanec at Sun.COM
Tue Jan 8 05:59:19 PST 2008
On Tue, 8 Jan 2008, Wyllys Ingersoll wrote:
>> hi Darren, during the recent discussion on kmf-discussion we came to
>> conclusion that certificate to user mapping capability should be exported by
>> KMF since that's quite a common thing requested by applications working with
>> certificates. While there is no draft on possible implementation, using
>> dynamic modules seems to be the right thing so that we could add new
>> mappings on the fly, possibly just with a new section in a configuration
>> file.
>>
>
>Did we conclude that KMF was going to need some new interfaces or did we
>decide that it
>should be done in a separate mapper? I am fine with adding to KMF if
>necessary, I'm just
>trying to clarify what is being done and where.
we concluded that KMF should offer an API for certificate to login
name mapping. We didn't conclude how exactly to do it.
the idea suggested was to internally use dynamic modules so that new
mapping could be added on the fly. Obviously, pam_pkcs11 mapper modules seem
as a good start. KMF could also use the same config file syntax as already
used for mappings' specifications.
that's the reason for the suggestion that pam_pkcs11 mapper modules
could become a generic solution for more Solaris consumers of such
functionality. I need the mapping stuff for SunSSH/x509 project, and ideally
from KMF API (I guess I could use the mapper object directly but that
wouldn't be a good solution), I can try to come with some rough draft for
this if that would be helpful.
J.
--
Jan Pechanec
More information about the kmf-discuss
mailing list