[Pki-devel] [PATCH] 496 Converted TPS profile doc into man page.
Endi Sukma Dewata
edewata at redhat.com
Thu May 15 13:55:35 UTC 2014
New patch attached. Please see comments below.
On 5/13/2014 1:02 PM, Christina Fu wrote:
> 1. How about change ""userKey" to "<tokenType>", and "signing" to
> "<keyType>?
>
> +The following property specifies the CUID shown in the certificate.
> +
> +.B op.enroll.userKey.keyGen.signing.cuid_label
>
> +
> +The following property specifies the token name.
> +All resulting labels for co-existing keys on the same token must be unique.
> +
> +.B op.enroll.userKey.keyGen.signing.label
Sure. It's been changed.
> 2. How about replace all reference of "RA" (an outdated name for "TPS")
> with "TPS"?
Changed also.
> 3. We added support for ECC, so a couple params added to the mix (I have
> my understanding of what they are, but it's best to ask Jack to provide
> official info on those two) :
>
> +The following properties specify the key usage and which PIN user should be granted.
> +
> +.nf
> *+.B op.enroll.<tokenType>.keyGen.<keyType>.alg=1**
> **+.B op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024*
> +.B op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
> +.B op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
> +.fi
I added the alg and keySize properties. Jack, please let me know how we
can change the text above to describe all properties above.
> 3. Same comment from 1 for the following:
>
> +There is a special case of tokenType userKeyTemporary.
> +Make sure the profile specified by the profileId to have
> +short validity period (e.g. 7 days) for the certificate.
> +
> +.nf
> +.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
> +.B op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
> +.f
I've changed the "signing" to "<keyType>", but if I change the "userKey"
and "userKeyTemporary" into "<tokenType>" too the two lines will become
identical. Is that ok, or are these two are special cases?
Note that the text and the properties don't seem to be related and we
discussed about fixing it separately later.
> 4. You asked me about the following, I think I just realized what it was
> now. Its for things like
> op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
> so, a generic thing is:
> op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
>
> +The three recovery schemes supported are:
> + \fBGenerateNewKey\fR - Generate a new cert for the encryption cert.
> + \fBRecoverLast\fR - Recover the most recent cert for the encryption cert.
> + \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last for encryption cert.
OK, the property has been added.
> 5. for the following you might want to add a generic thing as well:
> e.g.
> op.enroll.<tokenType>.renewal.*
>
> +.SS Token Renewal
Added.
> 5. There seems to be profile-related comments for "Format Operation For
> tokenKey" and "Pin Reset Operation For CoolKey". Are they significant
> enough to be added?
Added now. They didn't appear in the UI so I wasn't aware of them.
--
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0496-2-Converted-TPS-profile-doc-into-man-page.patch
Type: text/x-patch
Size: 20044 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20140515/ea780d38/attachment.bin>
More information about the Pki-devel
mailing list