KeyChainConf » History » Version 4
Yingdi Yu, 04/24/2014 04:50 PM
| 1 | 1 | Yingdi Yu | KeyChain Configuration |
|---|---|---|---|
| 2 | ====================== |
||
| 3 | |||
| 4 | 2 | Yingdi Yu | The configuration file of `KeyChain` consists of **pib** (Public Information Base) and **tpm** (Trusted Platform Module). |
| 5 | 1 | Yingdi Yu | |
| 6 | pib ; Public Information Base |
||
| 7 | { |
||
| 8 | 4 | Yingdi Yu | type sqlite3 ; SecPublic |
| 9 | 1 | Yingdi Yu | } |
| 10 | tpm ; Trust Platform Module |
||
| 11 | { |
||
| 12 | 2 | Yingdi Yu | type file |
| 13 | 1 | Yingdi Yu | } |
| 14 | 2 | Yingdi Yu | |
| 15 | 3 | Yingdi Yu | ## pib |
| 16 | 2 | Yingdi Yu | |
| 17 | Right now, only one type of **pib** is suppported: **sqlite3** which corresponds to `SecPublicInfoSqlite3`. |
||
| 18 | 4 | Yingdi Yu | But in release 2.0, we will support an new type of pib: **service** which corresponds to a [[PublicInfoService|system service]]. |
| 19 | 1 | Yingdi Yu | |
| 20 | 4 | Yingdi Yu | <font color='red'>**ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.**</font> |
| 21 | 1 | Yingdi Yu | |
| 22 | ## tpm |
||
| 23 | 4 | Yingdi Yu | |
| 24 | Right now, two types of **tpm** is supported: **osx-keychain** and **file** which correspond to `SecTpmOsx` and `SecTpmFile` respectively. |
||
| 25 | But in future relase, we will support an new type of tpm: **softhsm**. |
||
| 26 | |||
| 27 | At least one tpm must be specified in a KeyChain configuration file. |
||
| 28 | The first tpm in a configuration file is taken as the **primary tpm**, |
||
| 29 | All the other tpms is taken as **secondary tpms**. |
||
| 30 | The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm. |
||
| 31 | |||
| 32 | In most cases, a KeyChain should use the primary tpm only. |
||
| 33 | <font color='red'>**Secondary tpm should be used cautiously.**</font> |
||
| 34 | |||
| 35 | One use case of secondary tpm is tpm transition. |
||
| 36 | In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm. |
||
| 37 | Application can still use private keys from both primary tpm and secondary tpm. |
||
| 38 | Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm. |
||
| 39 | And only the primary tpm should be kept in the configuration file after the transition. |
||
| 40 | |||
| 41 | Multiple-tpm is still possible, if it is really desired. |
||
| 42 | But you should be aware that **KeyChain with multiple-tpm may have a bad signing performance** because a private key will be looked up in these tpms one-by-one. |
||
| 43 | |||
| 44 | ### `SecTpmOsx` |
||
| 45 | |||
| 46 | **tpm** for `SecTpmOsx` should be specified as |
||
| 47 | |||
| 48 | tpm |
||
| 49 | { |
||
| 50 | type osx-keychain ; required |
||
| 51 | } |
||
| 52 | |||
| 53 | <font color='red'>**ATTENTION!! At most one tpm for `SecTpmOsx` can be specified in a KeyChain configuration.**</font> |
||
| 54 | |||
| 55 | ### `SecTpmFile` |
||
| 56 | |||
| 57 | **tpm** for `SecTpmFile` should be specified as |
||
| 58 | |||
| 59 | tpm |
||
| 60 | { |
||
| 61 | type file ; required |
||
| 62 | dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/ |
||
| 63 | } |
||
| 64 | |||
| 65 | The property **dir** will be used identify a tpm instance of this type. |
||
| 66 | Therefore, in following configuration, only one tpm will be used. |
||
| 67 | |||
| 68 | tpm |
||
| 69 | { |
||
| 70 | type file |
||
| 71 | } |
||
| 72 | tpm |
||
| 73 | { |
||
| 74 | type file |
||
| 75 | dir /user/home/dir/.ndn/ndnsec-tpm-file |
||
| 76 | } |