[kmf-discuss] proposal - new kmf_policy attribute
Huie-Ying Lee
huie-ying.lee at sun.com
Thu Jan 31 17:12:33 PST 2008
Wyllys Ingersoll wrote:
> The SSH/X.509 project developer has asked us if we can add a new optional
> parameter to the KMF Policy to indicate the keystore location of the TA
> certificate.
>
> I think it is a reasonable request, though we will have to file an arc
> case to
> modify the kmfcfg interface and kmfpolicy.dtd.
>
> My proposal would add something like this to the .xml/.dtd files:
>
> <ta-location keystore=[file | pkcs11 | nss] name=[filename | token_label
> | nss_db_dir]>
>
> The kmfcfg would be modified as follows (for the 'create' and 'modify'
> options only):
>
> [ta-location=[file|pkcs11|nss:][filename|token_name|nss_db_directory]]
>
>
> If no one objects, I will file a fast-track case for this.
>
If we add the keystore location of the TA certificate to the KMF policy, then we
need to update kmf_validate_cert() also. Currently, the kmf_validate_cert() API
requires a caller to specify these attributes already. The related attributes
in kmf_validate_cert() are KMF_TOKEN_LABEL_ATTR, KMF_DIRPATH_ATTR and
KMF_KEYSTORE_TYPE_ATTR.
Huie-Ying
More information about the kmf-discuss
mailing list