[Pki-devel] [PATCH] 496 Converted TPS profile doc into man page.

Christina Fu cfu at redhat.com
Tue May 13 18:02:29 UTC 2014 

Just a few comments:

1. How about change ""userKey" to "<tokenType>", and "signing" to 
"<keyType>?

+The following property specifies the CUID shown in the certificate.
+
+.B op.enroll.userKey.keyGen.signing.cuid_label

+
+The following property specifies the token name.
+All resulting labels for co-existing keys on the same token must be unique.
+
+.B op.enroll.userKey.keyGen.signing.label

2. How about replace all reference of "RA" (an outdated name for "TPS") 
with "TPS"?

3. We added support for ECC, so a couple params added to the mix (I have 
my understanding of what they are, but it's best to ask Jack to provide 
official info on those two) :

+The following properties specify the key usage and which PIN user should be granted.
+
+.nf
*+.B op.enroll.<tokenType>.keyGen.<keyType>.alg=1**
**+.B op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024*
+.B op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
+.B op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
+.fi

3. Same comment from 1 for the following:

+There is a special case of tokenType userKeyTemporary.
+Make sure the profile specified by the profileId to have
+short validity period (e.g. 7 days) for the certificate.
+
+.nf
+.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
+.B op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
+.f

4. You asked me about the following, I think I just realized what it was 
now.  Its for things like
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
so, a generic thing is:
op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey

+The three recovery schemes supported are:
+  \fBGenerateNewKey\fR - Generate a new cert for the encryption cert.
+  \fBRecoverLast\fR - Recover the most recent cert for the encryption cert.
+  \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last for encryption cert.

5. for the following you might want to add a generic thing as well:
e.g.
op.enroll.<tokenType>.renewal.*

+.SS Token Renewal

5. There seems to be profile-related comments for "Format Operation For 
tokenKey" and "Pin Reset Operation For CoolKey".  Are they significant 
enough to be added?

thanks,
Christina


On 05/07/2014 10:49 AM, Endi Sukma Dewata wrote:
> On 5/7/2014 12:14 PM, Endi Sukma Dewata wrote:
>> The profile doc in TPS configuration file has been converted into
>> a man page pki-tps-profile.
>>
>> Ticket #950
>
> New patch attached. Fixed spec file.
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20140513/56248502/attachment.htm>

More information about the Pki-devel mailing list