On Tue, Jan 25, 2011 at 05:36:54PM -0700, Eric Blake wrote:
+ <dl> + <dt><code>mode='host'</code></dt> + <dd>The simplest operation, where the hypervisor relays all + requests from the guest into direct access to the host's + smartcard via NSS. No other attributes or sub-elements are + required. However, in cases where extra permissions must be + granted to the hypervisor to access the host's smartcard device, + an optional <code><source + dev='/path/to/smartcard'/></code> element is supported. + Also, see below about the use of an + optional <code><address></code> sub-element.</dd>
Based on the mail about pcscd, we don't want a device path here after all.
+ <dt><code>mode='host-certificates'</code></dt> + <dd>Rather than requiring a smartcard to be plugged into the + host, it is possible to provide three files residing on the host + and containing NSS certificates. These certificates can be + generated via the command <code>certutil -d /etc/pki/nssdb -x -t + CT,CT,CT -S -s CN=cert1 -n cert1</code>, and the resulting three + files must be supplied as the content of each of + three <code><certificate></code> sub-elements. An + additional sub-element <code><database></code> can specify + an additional file to use as the database.</dd>
What does the 'database' do ? This concept is somewhat specific to the NSS library afaict - other crypto libraries don't have a database like this. Should we also have 'database' for the 'host' mode if we need one ? Regards, Daniel