KeyChainConf » History » Version 7
Yingdi Yu, 04/28/2014 01:34 PM
| 1 | 1 | Yingdi Yu | KeyChain Configuration |
|---|---|---|---|
| 2 | ====================== |
||
| 3 | |||
| 4 | 7 | Yingdi Yu | ## For release 0.1.0 |
| 5 | 6 | Yingdi Yu | |
| 6 | Default configuration of KeyChain is moved from hardcoded source code to ~/.ndn/client.conf |
||
| 7 | |||
| 8 | ... |
||
| 9 | pib=sqlite3 |
||
| 10 | tpm=file ; SecTpmFile or osx-keychain if SecTpmOsx |
||
| 11 | ... |
||
| 12 | |||
| 13 | |||
| 14 | 7 | Yingdi Yu | ## Proposal for future release |
| 15 | 6 | Yingdi Yu | |
| 16 | 2 | Yingdi Yu | The configuration file of `KeyChain` consists of **pib** (Public Information Base) and **tpm** (Trusted Platform Module). |
| 17 | 1 | Yingdi Yu | |
| 18 | pib ; Public Information Base |
||
| 19 | { |
||
| 20 | 4 | Yingdi Yu | type sqlite3 ; SecPublic |
| 21 | 1 | Yingdi Yu | } |
| 22 | tpm ; Trust Platform Module |
||
| 23 | { |
||
| 24 | 2 | Yingdi Yu | type file |
| 25 | 1 | Yingdi Yu | } |
| 26 | 2 | Yingdi Yu | |
| 27 | 3 | Yingdi Yu | ## pib |
| 28 | 2 | Yingdi Yu | |
| 29 | Right now, only one type of **pib** is suppported: **sqlite3** which corresponds to `SecPublicInfoSqlite3`. |
||
| 30 | 4 | Yingdi Yu | But in release 2.0, we will support an new type of pib: **service** which corresponds to a [[PublicInfoService|system service]]. |
| 31 | 1 | Yingdi Yu | |
| 32 | 4 | Yingdi Yu | <font color='red'>**ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.**</font> |
| 33 | 1 | Yingdi Yu | |
| 34 | ## tpm |
||
| 35 | 4 | Yingdi Yu | |
| 36 | Right now, two types of **tpm** is supported: **osx-keychain** and **file** which correspond to `SecTpmOsx` and `SecTpmFile` respectively. |
||
| 37 | But in future relase, we will support an new type of tpm: **softhsm**. |
||
| 38 | |||
| 39 | At least one tpm must be specified in a KeyChain configuration file. |
||
| 40 | The first tpm in a configuration file is taken as the **primary tpm**, |
||
| 41 | All the other tpms is taken as **secondary tpms**. |
||
| 42 | The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm. |
||
| 43 | |||
| 44 | In most cases, a KeyChain should use the primary tpm only. |
||
| 45 | <font color='red'>**Secondary tpm should be used cautiously.**</font> |
||
| 46 | |||
| 47 | One use case of secondary tpm is tpm transition. |
||
| 48 | In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm. |
||
| 49 | Application can still use private keys from both primary tpm and secondary tpm. |
||
| 50 | Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm. |
||
| 51 | And only the primary tpm should be kept in the configuration file after the transition. |
||
| 52 | |||
| 53 | Multiple-tpm is still possible, if it is really desired. |
||
| 54 | But you should be aware that **KeyChain with multiple-tpm may have a bad signing performance** because a private key will be looked up in these tpms one-by-one. |
||
| 55 | |||
| 56 | ### `SecTpmOsx` |
||
| 57 | |||
| 58 | **tpm** for `SecTpmOsx` should be specified as |
||
| 59 | |||
| 60 | tpm |
||
| 61 | { |
||
| 62 | type osx-keychain ; required |
||
| 63 | } |
||
| 64 | |||
| 65 | <font color='red'>**ATTENTION!! At most one tpm for `SecTpmOsx` can be specified in a KeyChain configuration.**</font> |
||
| 66 | |||
| 67 | ### `SecTpmFile` |
||
| 68 | |||
| 69 | **tpm** for `SecTpmFile` should be specified as |
||
| 70 | |||
| 71 | tpm |
||
| 72 | { |
||
| 73 | type file ; required |
||
| 74 | dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/ |
||
| 75 | } |
||
| 76 | |||
| 77 | The property **dir** will be used identify a tpm instance of this type. |
||
| 78 | 5 | Yingdi Yu | Therefore, with following configuration, the KeyChain still use only one tpm. |
| 79 | 4 | Yingdi Yu | |
| 80 | tpm |
||
| 81 | { |
||
| 82 | type file |
||
| 83 | } |
||
| 84 | tpm |
||
| 85 | { |
||
| 86 | type file |
||
| 87 | dir /user/home/dir/.ndn/ndnsec-tpm-file |
||
| 88 | } |