KeyChainConf » History » Version 6
Yingdi Yu, 04/24/2014 06:56 PM
1 | 1 | Yingdi Yu | KeyChain Configuration |
---|---|---|---|
2 | ====================== |
||
3 | |||
4 | 6 | Yingdi Yu | ## For release 1.0 |
5 | |||
6 | Default configuration of KeyChain is moved from hardcoded source code to ~/.ndn/client.conf |
||
7 | |||
8 | ... |
||
9 | pib=sqlite3 |
||
10 | tpm=file ; SecTpmFile or osx-keychain if SecTpmOsx |
||
11 | ... |
||
12 | |||
13 | |||
14 | ## For release 2.0 |
||
15 | |||
16 | 2 | Yingdi Yu | The configuration file of `KeyChain` consists of **pib** (Public Information Base) and **tpm** (Trusted Platform Module). |
17 | 1 | Yingdi Yu | |
18 | pib ; Public Information Base |
||
19 | { |
||
20 | 4 | Yingdi Yu | type sqlite3 ; SecPublic |
21 | 1 | Yingdi Yu | } |
22 | tpm ; Trust Platform Module |
||
23 | { |
||
24 | 2 | Yingdi Yu | type file |
25 | 1 | Yingdi Yu | } |
26 | 2 | Yingdi Yu | |
27 | 3 | Yingdi Yu | ## pib |
28 | 2 | Yingdi Yu | |
29 | Right now, only one type of **pib** is suppported: **sqlite3** which corresponds to `SecPublicInfoSqlite3`. |
||
30 | 4 | Yingdi Yu | But in release 2.0, we will support an new type of pib: **service** which corresponds to a [[PublicInfoService|system service]]. |
31 | 1 | Yingdi Yu | |
32 | 4 | Yingdi Yu | <font color='red'>**ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.**</font> |
33 | 1 | Yingdi Yu | |
34 | ## tpm |
||
35 | 4 | Yingdi Yu | |
36 | Right now, two types of **tpm** is supported: **osx-keychain** and **file** which correspond to `SecTpmOsx` and `SecTpmFile` respectively. |
||
37 | But in future relase, we will support an new type of tpm: **softhsm**. |
||
38 | |||
39 | At least one tpm must be specified in a KeyChain configuration file. |
||
40 | The first tpm in a configuration file is taken as the **primary tpm**, |
||
41 | All the other tpms is taken as **secondary tpms**. |
||
42 | The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm. |
||
43 | |||
44 | In most cases, a KeyChain should use the primary tpm only. |
||
45 | <font color='red'>**Secondary tpm should be used cautiously.**</font> |
||
46 | |||
47 | One use case of secondary tpm is tpm transition. |
||
48 | In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm. |
||
49 | Application can still use private keys from both primary tpm and secondary tpm. |
||
50 | Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm. |
||
51 | And only the primary tpm should be kept in the configuration file after the transition. |
||
52 | |||
53 | Multiple-tpm is still possible, if it is really desired. |
||
54 | But you should be aware that **KeyChain with multiple-tpm may have a bad signing performance** because a private key will be looked up in these tpms one-by-one. |
||
55 | |||
56 | ### `SecTpmOsx` |
||
57 | |||
58 | **tpm** for `SecTpmOsx` should be specified as |
||
59 | |||
60 | tpm |
||
61 | { |
||
62 | type osx-keychain ; required |
||
63 | } |
||
64 | |||
65 | <font color='red'>**ATTENTION!! At most one tpm for `SecTpmOsx` can be specified in a KeyChain configuration.**</font> |
||
66 | |||
67 | ### `SecTpmFile` |
||
68 | |||
69 | **tpm** for `SecTpmFile` should be specified as |
||
70 | |||
71 | tpm |
||
72 | { |
||
73 | type file ; required |
||
74 | dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/ |
||
75 | } |
||
76 | |||
77 | The property **dir** will be used identify a tpm instance of this type. |
||
78 | 5 | Yingdi Yu | Therefore, with following configuration, the KeyChain still use only one tpm. |
79 | 4 | Yingdi Yu | |
80 | tpm |
||
81 | { |
||
82 | type file |
||
83 | } |
||
84 | tpm |
||
85 | { |
||
86 | type file |
||
87 | dir /user/home/dir/.ndn/ndnsec-tpm-file |
||
88 | } |