Edewata info about ecc params below:
thanks,
jack
----- Original Message -----
From: "Endi Sukma Dewata" <edewata(a)redhat.com>
To: "Christina Fu" <cfu(a)redhat.com>, pki-devel(a)redhat.com, "John
Magne" <jmagne(a)redhat.com>
Sent: Thursday, May 15, 2014 6:55:35 AM
Subject: Re: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page.
New patch attached. Please see comments below.
On 5/13/2014 1:02 PM, Christina Fu wrote:
> 1. How about change ""userKey" to "<tokenType>", and
"signing" to
> "<keyType>?
>
> +The following property specifies the CUID shown in the certificate.
> +
> +.B op.enroll.userKey.keyGen.signing.cuid_label
>
> +
> +The following property specifies the token name.
> +All resulting labels for co-existing keys on the same token must be
> unique.
> +
> +.B op.enroll.userKey.keyGen.signing.label
Sure. It's been changed.
> 2. How about replace all reference of "RA" (an outdated name for
"TPS")
> with "TPS"?
Changed also.
> 3. We added support for ECC, so a couple params added to the mix (I have
> my understanding of what they are, but it's best to ask Jack to provide
> official info on those two) :
>
> +The following properties specify the key usage and which PIN user should
> be granted.
> +
> +.nf
> *+.B op.enroll.<tokenType>.keyGen.<keyType>.alg=1**
> **+.B op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024*
> +.B op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
> +.B op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
> +.fi
For ECC the keySizes we support are 256, 384. Theoretically we could do 521, but I'm
not sure we tested that yet, so just put the first two.
The algs are as follows:
ALG_EC_F2M = 4,
ALG_EC_FP = 5
These are just two different types of EC algs.
We really only support ALG_EC_FP_5 = 5 though. so you can either emphasize that or just
leave out the other one for now.
I added the alg and keySize properties. Jack, please let me know how we
can change the text above to describe all properties above.
> 3. Same comment from 1 for the following:
>
> +There is a special case of tokenType userKeyTemporary.
> +Make sure the profile specified by the profileId to have
> +short validity period (e.g. 7 days) for the certificate.
> +
> +.nf
> +.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
> +.B
> op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
> +.f
I've changed the "signing" to "<keyType>", but if I change
the "userKey"
and "userKeyTemporary" into "<tokenType>" too the two lines
will become
identical. Is that ok, or are these two are special cases?
Note that the text and the properties don't seem to be related and we
discussed about fixing it separately later.
> 4. You asked me about the following, I think I just realized what it was
> now. Its for things like
> op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
> so, a generic thing is:
>
op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
>
> +The three recovery schemes supported are:
> + \fBGenerateNewKey\fR - Generate a new cert for the encryption cert.
> + \fBRecoverLast\fR - Recover the most recent cert for the encryption
> cert.
> + \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last
> for encryption cert.
OK, the property has been added.
> 5. for the following you might want to add a generic thing as well:
> e.g.
> op.enroll.<tokenType>.renewal.*
>
> +.SS Token Renewal
Added.
> 5. There seems to be profile-related comments for "Format Operation For
> tokenKey" and "Pin Reset Operation For CoolKey". Are they
significant
> enough to be added?
Added now. They didn't appear in the UI so I wasn't aware of them.
--
Endi S. Dewata