Re: [PATCH v6 4/6] KEYS: validate certificate trust only with selected owner key

From: Dmitry Kasatkin
Date: Mon Jun 30 2014 - 09:48:24 EST


On 27/06/14 20:44, Mimi Zohar wrote:
> On Fri, 2014-06-27 at 14:55 +0100, David Howells wrote:
>> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>>
>>> This patch defines a new kernel parameter 'keys_ownerid' to identify
>>> the owner's key which must be used for trust validation of certificates.
>> "ca_keys" or "only_ca" instead, maybe?
> Neither of these names reflect the concept of the machine owner or a
> local key. The initial patches named it 'owner_keyid'. If kernel
> parameters don't need to be prefixed with the subsystem, we could revert
> the name change or call it localca_keyid.
>
> Mimi

I neither against any of proposals.

But considering that we use those keys to verify other keys, they become
ca keys.
So from that point of view I think 'ca_keys' reflects functionality
quite ok.

localca_ prefix is may be not very relevant as builtin keys may
comesfrom kernel vendor (RH, Ubuntu)
and is not really local...

so let's decide on 'ca_keys'?

Thanks,
Dmitry

> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/