Mike Kupfer wrote:
Rainer> f kernel/crypto/sparcv9/dprov - 755 - - 246202 2 - - proto
Rainer> f kernel/drv/dprov.conf - 644 - - 0 1 - - proto
Rainer> f kernel/drv/sparcv9/dprov - 755 - - 246202 2 - - proto
Rainer>
Rainer> SUNWcryptoint
Rainer>
Rainer> Distributed in source; the only parts missing from SUNWcryptoint
Rainer> are etc/certs/SUNWosnetSolaris and etc/crypto/certs/SUNWosnet.
Rainer> Perhaps those should go into their own packages? Any
Rainer> suggestions for a name?
Yes, SUNWcryptoint. ;-)
Seriously, I think the right approach here is to keep the internal certs
in SUNWcryptoint, and split dprov--which is just an example driver--into
its own package. I'm not sure what a good name would
be... SUNWcryptodemo? This sounds like a question for
security-discuss.
I disagree. SUNWcryptoint is ONLY for distribution of the dprov driver
to PIT that is what that package is for, the internal certificate must
go with the driver to PIT other wise it won't load.
There are two different certificates there. One is a dummy selfsigned
cert the other is a real crypto module signing cert and that is ONLY for
sigingin dprov and temporary signing of the real modules.
We already have a couple of solutions in progress for the crypto modules:
1) Moving all the crypto modules that need to be signed that are part of
the shipped product into two new packages (one root and usr).
2) Hoping to remove the SUNWcry/SUNWcryr nonsense - legal approval
almost complete, workspace in progress.
3) Removal of the signing requirement complete for OpenSolaris builds -
it will likely need to stay (due to US export law) for the binary
Solaris product though.
4) Partially related to this I want to investigate using per build self
signed keys for the non crypto modules. Just haven't had the time.
Rainer> SUNWocfr
I believe that the smartcard code is supposed to be EOL'd and removed
completely, but I'm unsure of the timeframe.
The approvals have been granted by the appropriate bits of the Sun
process chain. Just need to start on the removal work now, it has to be
done carefully as it actually impacts more than just ON (there are
consumers in CDE, JDS and X consolidations that need to be fixed).
--
Darren J Moffat
_______________________________________________
opensolaris-code mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
