From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
David Howells <dhowells@redhat.com>
Cc: keyrings <keyrings@linux-nfs.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Josh Boyer <jwboyer@redhat.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH v6 4/6] KEYS: validate certificate trust only with selected owner key
Date: Mon, 30 Jun 2014 16:47:16 +0300 [thread overview]
Message-ID: <53B16A64.4020903@samsung.com> (raw)
In-Reply-To: <1403891079.9446.12.camel@dhcp-9-2-203-236.watson.ibm.com>
On 27/06/14 20:44, Mimi Zohar wrote:
> On Fri, 2014-06-27 at 14:55 +0100, David Howells wrote:
>> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>>
>>> This patch defines a new kernel parameter 'keys_ownerid' to identify
>>> the owner's key which must be used for trust validation of certificates.
>> "ca_keys" or "only_ca" instead, maybe?
> Neither of these names reflect the concept of the machine owner or a
> local key. The initial patches named it 'owner_keyid'. If kernel
> parameters don't need to be prefixed with the subsystem, we could revert
> the name change or call it localca_keyid.
>
> Mimi
I neither against any of proposals.
But considering that we use those keys to verify other keys, they become
ca keys.
So from that point of view I think 'ca_keys' reflects functionality
quite ok.
localca_ prefix is may be not very relevant as builtin keys may
comesfrom kernel vendor (RH, Ubuntu)
and is not really local...
so let's decide on 'ca_keys'?
Thanks,
Dmitry
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2014-06-30 13:48 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 14:40 [PATCH v6 0/6] ima: extending secure boot certificate chain of trust Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 1/6] KEYS: special dot prefixed keyring name bug fix Mimi Zohar
2014-06-27 13:24 ` David Howells
2014-06-24 14:40 ` [PATCH v6 2/6] KEYS: verify a certificate is signed by a 'trusted' key Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 3/6] KEYS: make partial key id matching as a dedicated function Mimi Zohar
2014-06-27 13:38 ` David Howells
2014-06-30 13:14 ` Dmitry Kasatkin
2014-06-30 19:20 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 4/6] KEYS: validate certificate trust only with selected owner key Mimi Zohar
2014-06-27 13:55 ` David Howells
2014-06-27 17:44 ` Mimi Zohar
2014-06-30 13:47 ` Dmitry Kasatkin [this message]
2014-06-30 13:57 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 5/6] KEYS: validate certificate trust only with builtin keys Mimi Zohar
2014-06-27 13:54 ` David Howells
2014-06-27 17:50 ` Mimi Zohar
2014-06-24 14:40 ` [PATCH v6 6/6] ima: define '.ima' as a builtin 'trusted' keyring Mimi Zohar
2014-06-27 14:17 ` David Howells
2014-07-09 15:31 ` [PATCH v6 0/6] ima: extending secure boot certificate chain of trust David Howells
2014-07-09 16:40 ` Mimi Zohar
2014-07-09 18:56 ` David Howells
2014-07-09 21:29 ` Mimi Zohar
2014-07-10 14:47 ` Dmitry Kasatkin
2014-07-13 21:06 ` David Howells
2014-07-16 13:15 ` Mimi Zohar
2014-07-17 19:43 ` David Howells
2014-07-17 20:07 ` Mimi Zohar
2014-07-17 20:37 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53B16A64.4020903@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.