(A few months ago I looked into the feasibility of replacing the openssl plug-in code w/kmfapi and I sent a version of this in email to some folks and now would like to circulate it wider -- and our MIT Kerb 1.6.3 resync is near done so we need to decide how to procede.)
Going into this project, I was shooting for kmf-purity -- that is, try to replace the openssl routines totally (or at least the x509 openssl api) with kmfapi. But now that I've seen the pkinit routines that construct the AS request with signed data using the pkcs7 (openssl) api, that goal would be difficult because pkcs7 uses the x509 api heavily. So here's what I'm thinking now. Leave the x509 code as-is for the current MIT kinit/krb5.conf cert options: FILE:file-name[,key-file-name] DIR:directory-name PKCS12:pkcs12-file-name PKCS11:[module_name=]module-name... And if there is demand (customers pls chime in) we add a new one for nss: NSS:<how-ever-one-identifies-nss-cert> We can use kmfapi to read in the nss certs and convert them to x509 and then use the current pkcs7/x509-based code to construct the AS request. We might even want to do this as a separate plug-in. This takes advantage of a unique feature of kmf (NSS support) and gives added value to OpenSolaris pkinit (while keeping the openssl plug-in code and user interface the same as MIT Kerb). thx, glenn
