New patch attached. Please see comments below.
On 5/13/2014 1:02 PM, Christina Fu wrote:
1. How about change ""userKey" to
"<tokenType>", and "signing" to
"<keyType>?
+The following property specifies the CUID shown in the certificate.
+
+.B op.enroll.userKey.keyGen.signing.cuid_label
+
+The following property specifies the token name.
+All resulting labels for co-existing keys on the same token must be unique.
+
+.B op.enroll.userKey.keyGen.signing.label
Sure. It's been changed.
2. How about replace all reference of "RA" (an outdated
name for "TPS")
with "TPS"?
Changed also.
3. We added support for ECC, so a couple params added to the mix (I
have
my understanding of what they are, but it's best to ask Jack to provide
official info on those two) :
+The following properties specify the key usage and which PIN user should be granted.
+
+.nf
*+.B op.enroll.<tokenType>.keyGen.<keyType>.alg=1**
**+.B op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024*
+.B op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
+.B op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
+.fi
I added the alg and keySize properties. Jack, please let me know how we
can change the text above to describe all properties above.
3. Same comment from 1 for the following:
+There is a special case of tokenType userKeyTemporary.
+Make sure the profile specified by the profileId to have
+short validity period (e.g. 7 days) for the certificate.
+
+.nf
+.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
+.B op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
+.f
I've changed the "signing" to "<keyType>", but if I change
the "userKey"
and "userKeyTemporary" into "<tokenType>" too the two lines will
become
identical. Is that ok, or are these two are special cases?
Note that the text and the properties don't seem to be related and we
discussed about fixing it separately later.
4. You asked me about the following, I think I just realized what it
was
now. Its for things like
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
so, a generic thing is:
op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
+The three recovery schemes supported are:
+ \fBGenerateNewKey\fR - Generate a new cert for the encryption cert.
+ \fBRecoverLast\fR - Recover the most recent cert for the encryption cert.
+ \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last for encryption
cert.
OK, the property has been added.
5. for the following you might want to add a generic thing as well:
e.g.
op.enroll.<tokenType>.renewal.*
+.SS Token Renewal
Added.
5. There seems to be profile-related comments for "Format
Operation For
tokenKey" and "Pin Reset Operation For CoolKey". Are they significant
enough to be added?
Added now. They didn't appear in the UI so I wasn't aware of them.
--
Endi S. Dewata