KeyChainConf » History » Revision 8
« Previous |
Revision 8/9
(diff)
| Next »
Davide Pesavento, 07/03/2020 12:15 PM
KeyChain Configuration¶
For release 0.1.0¶
Default configuration of KeyChain is moved from hardcoded source code to ~/.ndn/client.conf
...
pib=sqlite3
tpm=file ; SecTpmFile or osx-keychain if SecTpmOsx
...
Proposal for future release¶
The configuration file of KeyChain
consists of pib (Public Information Base) and tpm (Trusted Platform Module).
pib ; Public Information Base
{
type sqlite3 ; SecPublic
}
tpm ; Trust Platform Module
{
type file
}
PIB¶
Right now, only one type of pib is supported: sqlite3 which corresponds to SecPublicInfoSqlite3
.
But in a future release, we will support a new type of pib: service which corresponds to a system service.
ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.
TPM¶
Right now, two types of tpm is supported: osx-keychain and file which correspond to SecTpmOsx
and SecTpmFile
respectively.
But in a future release, we will support a new type of tpm: softhsm.
At least one tpm must be specified in a KeyChain configuration file.
The first tpm in a configuration file is taken as the primary tpm,
All the other tpms is taken as secondary tpms.
The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm.
In most cases, a KeyChain should use the primary tpm only.
Secondary tpm should be used cautiously.
One use case of secondary tpm is tpm transition.
In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm.
Application can still use private keys from both primary tpm and secondary tpm.
Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm.
And only the primary tpm should be kept in the configuration file after the transition.
Multiple-tpm is still possible, if it is really desired.
But you should be aware that KeyChain with multiple-tpm may have a bad signing performance because a private key will be looked up in these tpms one-by-one.
SecTpmOsx
¶
tpm for SecTpmOsx
should be specified as
tpm
{
type osx-keychain ; required
}
ATTENTION!! At most one tpm for SecTpmOsx
can be specified in a KeyChain configuration.
SecTpmFile
¶
tpm for SecTpmFile
should be specified as
tpm
{
type file ; required
dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/
}
The property dir will be used identify a tpm instance of this type.
Therefore, with following configuration, the KeyChain still use only one tpm.
tpm
{
type file
}
tpm
{
type file
dir /user/home/dir/.ndn/ndnsec-tpm-file
}
Updated by Davide Pesavento over 4 years ago · 9 revisions