Nicolas.Williams at sun.com
Tue Dec 19 11:22:41 EST 2006
On Mon, Dec 18, 2006 at 08:12:11PM -0500, Jeffrey Hutzelman wrote:
> On Thursday, December 14, 2006 10:24:51 AM -0600 Nicolas Williams
> <Nicolas.Williams at sun.com> wrote:
> >First, generate a certificate request:
> >% elfsign request -k private-keyfile -r certificate-request
> ><interactive questionaire>
> >then send the certreq to solaris-crypto-req at sun.com; when you get the
> >cert back from Sun just place it in /etc/crypto/certs and sign the
> Right, and Sun is just going to sign any code I send them?
> If so, what's the point?
IANAL. I suspect: that you're in the U.S., and/or a U.S. person, and/or
not a national of one of the countries to which crypto shouldn't be
> Why not let me set my own trust anchors?
> Why not let me load any module I want?
Crypto export regs.
> It's bad enough that in order to test and debug my PAM module I have to
> change its owner to 0 after every build, even though uid 0 already has
> exclusive control over the PAM configuration and which files get loaded
> (which, BTW, is also a pain - my test application should get to specify a
> configuration source other than the files in /etc/). Now you want me to a
> round trip with someone at Sun each time through the edit-compile-test
> cycle? That's insane!
No! You get your certificate signed by Sun and then you sign all the
shared objects you like with your private key.
> Incidentally, this behavior of Sun's library is an excellent example of why
> "use the first slot with a token" may not be the best policy. The metaslot
> token is _always_ the first slot, if it is present at all.
More information about the krbdev