On Tue, 8 Jan 2008, Darren J Moffat wrote:
> I'm sponsoring this case for Huie-Ying Lee of the OpenSolaris KMF project.
> I'm
> using this old case number as other ARC cases reference this case number as a
> requirement for EOF removal of some old smartcard functionality.
hi Darren, during the recent discussion on kmf-discussion we came to
conclusion that certificate to user mapping capability should be exported by
KMF since that's quite a common thing requested by applications working with
certificates. While there is no draft on possible implementation, using
dynamic modules seems to be the right thing so that we could add new
mappings on the fly, possibly just with a new section in a configuration
file.
mapper modules shipped with pam_pkcs11 seem like the way to go and
to start with. I think that another consumer of such modules might be
Kerberos.
shouldn't we then consider certificate to username mapping a generic
feature that is going to be needed by various parts of the system?
having said that then for example /usr/lib/pam_pkcs11/ for storing
shared mapper modules wouldn't fit into that picture of generic mapper
modules used by various consumers in Solaris.
thanks, Jan.
--
Jan Pechanec
