Just a few comments:
1. How about change ""userKey" to "<tokenType>", and "signing"
to "<keyType>?
+The following property specifies the CUID shown in the certificate.
+
+.B op.enroll.userKey.keyGen.signing.cuid_label
+
+The following property specifies the token name.
+All resulting labels for co-existing keys on the same token must be unique.
+
+.B op.enroll.userKey.keyGen.signing.label
2. How about replace all reference of "RA" (an outdated name for
"TPS") with "TPS"?
3. We added support for ECC, so a couple params added to the mix (I
have my understanding of what they are, but it's best to ask Jack to
provide official info on those two) :
+The following properties specify the key usage and which PIN user should be granted.
+
+.nf
+.B op.enroll.<tokenType>.keyGen.<keyType>.alg=1
+.B op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
+.B op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
+.B op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
+.fi
3. Same comment from 1 for the following:
+There is a special case of tokenType userKeyTemporary.
+Make sure the profile specified by the profileId to have
+short validity period (e.g. 7 days) for the certificate.
+
+.nf
+.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher
+.B op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher
+.f
4. You asked me about the following, I think I just realized what it
was now. Its for things like
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
so, a generic thing is:
op.enroll.<tokenType>.keyGen.<keyType>.recovery.<tokenState>.scheme=GenerateNewKey
+The three recovery schemes supported are:
+ \fBGenerateNewKey\fR - Generate a new cert for the encryption cert.
+ \fBRecoverLast\fR - Recover the most recent cert for the encryption cert.
+ \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last for encryption cert.
5. for the following you might want to add a generic thing as well:
e.g.
op.enroll.<tokenType>.renewal.*
+.SS Token Renewal
5. There seems to be profile-related comments for "Format Operation
For tokenKey" and "Pin Reset Operation For CoolKey". Are they
significant enough to be added?
thanks,
Christina
On 05/07/2014 10:49 AM, Endi Sukma
Dewata wrote:
On
5/7/2014 12:14 PM, Endi Sukma Dewata wrote:
The profile doc in TPS configuration file
has been converted into
a man page pki-tps-profile.
Ticket #950
New patch attached. Fixed spec file.
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel