Re: [PATCH v6 4/6] KEYS: validate certificate trust only with selected owner key

From: Mimi Zohar
Date: Mon Jun 30 2014 - 09:58:17 EST


On Mon, 2014-06-30 at 16:47 +0300, Dmitry Kasatkin wrote:
> On 27/06/14 20:44, Mimi Zohar wrote:
> > On Fri, 2014-06-27 at 14:55 +0100, David Howells wrote:
> >> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> >>
> >>> This patch defines a new kernel parameter 'keys_ownerid' to identify
> >>> the owner's key which must be used for trust validation of certificates.
> >> "ca_keys" or "only_ca" instead, maybe?
> > Neither of these names reflect the concept of the machine owner or a
> > local key. The initial patches named it 'owner_keyid'. If kernel
> > parameters don't need to be prefixed with the subsystem, we could revert
> > the name change or call it localca_keyid.
> >
> > Mimi
>
> I neither against any of proposals.
>
> But considering that we use those keys to verify other keys, they become
> ca keys.
> So from that point of view I think 'ca_keys' reflects functionality
> quite ok.
>
> localca_ prefix is may be not very relevant as builtin keys may
> comesfrom kernel vendor (RH, Ubuntu)
> and is not really local...

Ok.

> so let's decide on 'ca_keys'?

Ok. This change isn't limited to just the kernel boot parameter name,
but needs to be reflected in the patch description and variable/function
names.

thanks,

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/