question about pkinit + plugin interface
hartmans at MIT.EDU
Tue Oct 17 09:55:09 EDT 2006
>>>>> "Nalin" == Nalin Dahyabhai <nalin at redhat.com> writes:
Nalin> On Mon, Oct 16, 2006 at 07:42:08PM -0400, Sam Hartman
>> I think all this sounds good; I'd like to hear from Nalin and
>> confirm he's OK, but that should not be blocking for too long.
Nalin> Most of that sounds great. I'm worried about (3) where the
Nalin> krb5_get_init_creds_opt_set_pkinit() function can
Nalin> implicitly tie the implementation to a specific toolkit --
Nalin> if you have to specify where to find the user's
Nalin> certificates and keys using a string in the form
Nalin> "ENGINE:foo.so", well, that's only going to mean something
Nalin> if you're using OpenSSL under the covers.
That's certainly true.
I don't know how to resolve this.
I think we should perhaps move the API discussion to krbdev and so I'm
adding that list.
I think the requirements are:
1) The API in libkrb5 must not be pkinit specific.
So I'm thinking of something like a get_init_creds_opt_set_pa which takes a patype, integer|string and value.
2) Easy compatibility with Heimdal. So, for example, you'd like to be able to have a #define for the Heimdal functions or at least export similar functionality.
3) Minimize backend specificity.
4) Provide an interface that can be used for gssmaggot integration.
I think that goal 2 and 3 are in conflict. It seems likely that we
may end up exporting some APIs that provide Heimdal compat at least
when built against openssl.
I would appreciate advice on how we can move forward here.
More information about the krbdev