Jan Pechanec wrote: > On Tue, 8 Jan 2008, Darren J Moffat wrote: > >> I'm sponsoring this case for Huie-Ying Lee of the OpenSolaris KMF project. >> I'm >> using this old case number as other ARC cases reference this case number as a >> requirement for EOF removal of some old smartcard functionality. > > hi Darren, during the recent discussion on kmf-discussion we came to > conclusion that certificate to user mapping capability should be exported by > KMF since that's quite a common thing requested by applications working with > certificates. While there is no draft on possible implementation, using > dynamic modules seems to be the right thing so that we could add new > mappings on the fly, possibly just with a new section in a configuration > file. > > mapper modules shipped with pam_pkcs11 seem like the way to go and > to start with. I think that another consumer of such modules might be > Kerberos.
Which is one of the reasons that the mapper modules this case provides are Volatile and not Committed. > shouldn't we then consider certificate to username mapping a generic > feature that is going to be needed by various parts of the system? Yes we should but I don't believe anyone is ready to bring a case for that yet. > having said that then for example /usr/lib/pam_pkcs11/ for storing > shared mapper modules wouldn't fit into that picture of generic mapper > modules used by various consumers in Solaris. Which is why this is a Volatile interface - so that when the future case comes along to do this more generically if it needs to it can move the mapping modules provided by this case. I don't see anything in this case that stops the project team providing a generic cert mapping functionality later, even based on the modules that this case provides. -- Darren J Moffat
