Project

General

Profile

KeyChainConf » History » Revision 8

Revision 7 (Yingdi Yu, 04/28/2014 01:34 PM) → Revision 8/9 (Davide Pesavento, 07/03/2020 12:15 PM)

KeyChain Configuration 
 ====================== 

 ## For release 0.1.0 

 Default configuration of KeyChain is moved from hardcoded source code to ~/.ndn/client.conf 

     ... 
     pib=sqlite3 
     tpm=file ; SecTpmFile or osx-keychain if SecTpmOsx 
     ... 


 ## Proposal for future release 

 The configuration file of `KeyChain` consists of **pib** (Public Information Base) and **tpm** (Trusted Platform Module). 

     pib ; Public Information Base 
     { 
       type sqlite3 ; SecPublic 
     } 
     tpm ; Trust Platform Module 
     { 
       type file 
     } 

 ## PIB pib 

 Right now, only one type of **pib** is supported: suppported: **sqlite3** which corresponds to `SecPublicInfoSqlite3`. 
 But in a future release, release 2.0, we will support a an new type of pib: **service** which corresponds to a [[PublicInfoService|system service]].  

 **ATTENTION!! <font color='red'>**ATTENTION!! One and only one pib must be specified in a KeyChain configuration file.** file.**</font> 

 ## TPM tpm 

 Right now, two types of **tpm** is supported: **osx-keychain** and **file** which correspond to `SecTpmOsx` and `SecTpmFile` respectively. 
 But in a future release, relase, we will support a an new type of tpm: **softhsm**. 

 At least one tpm must be specified in a KeyChain configuration file.  
 The first tpm in a configuration file is taken as the **primary tpm**,  
 All the other tpms is taken as **secondary tpms**. 
 The only difference between primary tpm and secondary tpm is that new keys will be created only in primary tpm. 

 In most cases, a KeyChain should use the primary tpm only. 
 **Secondary  
 <font color='red'>**Secondary tpm should be used cautiously.** cautiously.**</font> 

 One use case of secondary tpm is tpm transition. 
 In this case, the new tpm is set as the primary tpm while the old tpm is set as the secondary tpm. 
 Application can still use private keys from both primary tpm and secondary tpm. 
 Once the transition is done, all the private keys in the secondary tpm should not be considered either useless or replaced by another key in primary tpm. 
 And only the primary tpm should be kept in the configuration file after the transition. 

 Multiple-tpm is still possible, if it is really desired. 
 But you should be aware that **KeyChain with multiple-tpm may have a bad signing performance** because a private key will be looked up in these tpms one-by-one. 

 ### `SecTpmOsx` 

 **tpm** for `SecTpmOsx` should be specified as 

     tpm 
     { 
       type osx-keychain ; required 
     } 

 **ATTENTION!! <font color='red'>**ATTENTION!! At most one tpm for `SecTpmOsx` can be specified in a KeyChain configuration.** configuration.**</font> 

 ### `SecTpmFile` 

 **tpm** for `SecTpmFile` should be specified as  

     tpm 
     { 
       type file      ; required 
       dir /tpm/dir ; optional, by default it is set to '~/.ndn/ndnsec-tpm-file/ 
     } 

 The property **dir** will be used identify a tpm instance of this type. 
 Therefore, with following configuration, the KeyChain still use only one tpm. 

     tpm 
     { 
       type file 
     } 
     tpm 
     { 
       type file 
       dir /user/home/dir/.ndn/ndnsec-tpm-file 
     }