[kmf-discuss] proposal - new kmf_policy attribute

Hai-May Chao Hai-May.Chao at sun.com
Thu Jan 31 17:15:48 PST 2008 

This looks good to me. I just have some comments.

As TA certificate is used by kmf_validate_cert() API,
with the additional TA location parameter in the KMF policy,
will that impose changes to be made to kmf_validate_cert()
API? Will the TA location in the policy override the
existing related attributes in kmf_validate_cert() API?

With regard to the "ta-location" -
[ta-location=[file|pkcs11|nss:][filename|token_name|nss_db_directory]]

If the keystore of the TA is "file", shall we have two
values - directory and filename to constitute the TA's
name, instead of only filename? I thought this way will
be more consistent with the existing crl attributes in
kmfcfg command:

               [crl-basefilename=basefilename]
               [crl-directory=directory]

This also may help to be more aligned with the two KMF
attributes that kmf_validate_cert() uses:
KMF_DIRPATH_ATTR and KMF_SUBJECT_NAME_ATTR.

When the keystore of the TA is "nss", we need token_name
as its slot label to find a TA certificate. It seems
nss_db_directory will not be required.

Hai-May



Wyllys Ingersoll wrote:
> The SSH/X.509 project developer has asked us if we can add a new optional
> parameter to the KMF Policy to indicate the keystore location of the TA 
> certificate.
> 
> I think it is a reasonable request, though we will have to file an arc 
> case to
> modify the kmfcfg interface and kmfpolicy.dtd.
> 
> My proposal would add something like this to the .xml/.dtd files:
> 
> <ta-location keystore=[file | pkcs11 | nss] name=[filename | token_label 
> | nss_db_dir]>
> 
> The kmfcfg would be modified as follows (for the 'create' and 'modify' 
> options only):
> 
> [ta-location=[file|pkcs11|nss:][filename|token_name|nss_db_directory]]
> 
> 
> If no one objects, I will file a fast-track case for this.
> 
> -Wyllys
> 
> 
> 
> _______________________________________________
> kmf-discuss mailing list
> kmf-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kmf-discuss

More information about the kmf-discuss mailing list