[Pki-devel] [PATCH] 496 Converted TPS profile doc into man page.
John Magne
jmagne at redhat.com
Thu May 15 17:46:41 UTC 2014
Edewata info about ecc params below:
thanks,
jack
----- Original Message -----
> From: "Endi Sukma Dewata" <edewata at redhat.com>
> To: "Christina Fu" <cfu at redhat.com>, pki-devel at redhat.com, "John Magne" <jmagne at redhat.com>
> Sent: Thursday, May 15, 2014 6:55:35 AM
> Subject: Re: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page.
>
> New patch attached. Please see comments below.
>
> On 5/13/2014 1:02 PM, Christina Fu wrote:
> > 1. How about change ""userKey" to "<tokenType>", and "signing" to
> > "<keyType>?
> >
> > +The following property specifies the CUID shown in the certificate.
> > +
> > +.B op.enroll.userKey.keyGen.signing.cuid_label
> >
> > +
> > +The following property specifies the token name.
> > +All resulting labels for co-existing keys on the same token must be
> > unique.
> > +
> > +.B op.enroll.userKey.keyGen.signing.label
>
> Sure. It's been changed.
>
> > 2. How about replace all reference of "RA" (an outdated name for "TPS")
> > with "TPS"?
>
> Changed also.
>
> > 3. We added support for ECC, so a couple params added to the mix (I have
> > my understanding of what they are, but it's best to ask Jack to provide
> > official info on those two) :
> >
> > +The following properties specify the key usage and which PIN user should
> > be granted.
> > +
> > +.nf
> > *+.B op.enroll.<tokenType>.keyGen.<keyType>.alg=1**
> > **+.B op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024*
> > +.B op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
> > +.B op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
> > +.fi
For ECC the keySizes we support are 256, 384. Theoretically we could do 521, but I'm not sure we tested that yet, so just put the first two.
The algs are as follows:
ALG_EC_F2M = 4,
ALG_EC_FP = 5
These are just two different types of EC algs.
We really only support ALG_EC_FP_5 = 5 though. so you can either emphasize that or just leave out the other one for now.
>
> I added the alg and keySize properties. Jack, please let me know how we
> can change the text above to describe all properties above.
>
> > 3. Same comment from 1 for the following:
> >
> > +There is a special case of tokenType userKeyTemporary.
> > +Make sure the profile specified by the profileId to have
> > +short validity period (e.g. 7 days) for the certificate.
> > +
> > +.nf
> > +.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
> > +.B
> > op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
> > +.f
>
> I've changed the "signing" to "<keyType>", but if I change the "userKey"
> and "userKeyTemporary" into "<tokenType>" too the two lines will become
> identical. Is that ok, or are these two are special cases?
>
> Note that the text and the properties don't seem to be related and we
> discussed about fixing it separately later.
>
> > 4. You asked me about the following, I think I just realized what it was
> > now. Its for things like
> > op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
> > so, a generic thing is:
> > op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
> >
> > +The three recovery schemes supported are:
> > + \fBGenerateNewKey\fR - Generate a new cert for the encryption cert.
> > + \fBRecoverLast\fR - Recover the most recent cert for the encryption
> > cert.
> > + \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last
> > for encryption cert.
>
> OK, the property has been added.
>
> > 5. for the following you might want to add a generic thing as well:
> > e.g.
> > op.enroll.<tokenType>.renewal.*
> >
> > +.SS Token Renewal
>
> Added.
>
> > 5. There seems to be profile-related comments for "Format Operation For
> > tokenKey" and "Pin Reset Operation For CoolKey". Are they significant
> > enough to be added?
>
> Added now. They didn't appear in the UI so I wasn't aware of them.
>
> --
> Endi S. Dewata
>
More information about the Pki-devel
mailing list