KeyChainConf » History » Revision 8
Revision 7 (Yingdi Yu, 04/28/2014 01:34 PM) → Revision 8/9 (Davide Pesavento, 07/03/2020 12:15 PM)
KeyChain Configuration ====================== ## For release 0.1.0 Default configuration of KeyChain is moved from hardcoded source code to ~/.ndn/client.conf ... pib=sqlite3 tpm=file ; SecTpmFile or osx-keychain if SecTpmOsx ... ## Proposal for future release The configuration file of `KeyChain` consists of **pib** (Public Information Base) and **tpm** (Trusted Platform Module). pib ; Public Information Base { type sqlite3 ; SecPublic } tpm ; Trust Platform Module { type file } ## PIB pib Right now, only one type of **pib** is supported: suppported: **sqlite3** which corresponds to `SecPublicInfoSqlite3`. But in a future release, release 2.0, we will support a an new type of pib: **service** which corresponds to a [[PublicInfoService|system service]]. **ATTENTION!! <font color='red'>**ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.** file.**</font> ## TPM tpm Right now, two types of **tpm** is supported: **osx-keychain** and **file** which correspond to `SecTpmOsx` and `SecTpmFile` respectively. But in a future release, relase, we will support a an new type of tpm: **softhsm**. At least one tpm must be specified in a KeyChain configuration file. The first tpm in a configuration file is taken as the **primary tpm**, All the other tpms is taken as **secondary tpms**. The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm. In most cases, a KeyChain should use the primary tpm only. **Secondary <font color='red'>**Secondary tpm should be used cautiously.** cautiously.**</font> One use case of secondary tpm is tpm transition. In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm. Application can still use private keys from both primary tpm and secondary tpm. Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm. And only the primary tpm should be kept in the configuration file after the transition. Multiple-tpm is still possible, if it is really desired. But you should be aware that **KeyChain with multiple-tpm may have a bad signing performance** because a private key will be looked up in these tpms one-by-one. ### `SecTpmOsx` **tpm** for `SecTpmOsx` should be specified as tpm { type osx-keychain ; required } **ATTENTION!! <font color='red'>**ATTENTION!! At most one tpm for `SecTpmOsx` can be specified in a KeyChain configuration.** configuration.**</font> ### `SecTpmFile` **tpm** for `SecTpmFile` should be specified as tpm { type file ; required dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/ } The property **dir** will be used identify a tpm instance of this type. Therefore, with following configuration, the KeyChain still use only one tpm. tpm { type file } tpm { type file dir /user/home/dir/.ndn/ndnsec-tpm-file }