pkinit updates

[Nicolas Williams]

On Mon, Dec 18, 2006 at 08:12:11PM -0500, Jeffrey Hutzelman wrote:
> 
> 
> On Thursday, December 14, 2006 10:24:51 AM -0600 Nicolas Williams 
> <Nicolas.Williams at sun.com> wrote:
> 
> >First, generate a certificate request:
> >
> >% elfsign request -k private-keyfile -r certificate-request
> ><interactive questionaire>
> >
> >then send the certreq to solaris-crypto-req at sun.com; when you get the
> >cert back from Sun just place it in /etc/crypto/certs and sign the
> >module:
> 
> Right, and Sun is just going to sign any code I send them?

Yes.

> If so, what's the point?

IANAL.  I suspect: that you're in the U.S., and/or a U.S. person, and/or
not a national of one of the countries to which crypto shouldn't be
exported, and/or...

> Why not let me set my own trust anchors?

See above.

> Why not let me load any module I want?

Crypto export regs.

> It's bad enough that in order to test and debug my PAM module I have to 
> change its owner to 0 after every build, even though uid 0 already has 
> exclusive control over the PAM configuration and which files get loaded 
> (which, BTW, is also a pain - my test application should get to specify a 
> configuration source other than the files in /etc/).  Now you want me to a 
> round trip with someone at Sun each time through the edit-compile-test 
> cycle?  That's insane!

No!  You get your certificate signed by Sun and then you sign all the
shared objects you like with your private key.

> [...]
> 
> Incidentally, this behavior of Sun's library is an excellent example of why 
> "use the first slot with a token" may not be the best policy.  The metaslot 
> token is _always_ the first slot, if it is present at all.

Indeed.

Nico
--