1. Project: Key Management Framework
   1. Announcements
   2. Events
   3. News
   4. Blogs
   5. Discussions
   6. Leaders
   7. Observers
   8. Files
   9. Proposed KMF API Changes

OpenSolaris Project: Key Management Framework

View the leaders for this project
Project Observers

Endorsing communities

OS/Net (ON)
Security

Status

• PSARC/2006/074 Approved 2006-07-19. Integrated into Build 53 of the ON consolidation.
• PSARC 2007/426 - KMFAPI Interface Taxonomy Changes - putback into build 74.
• PSARC 2007/465 - pktool symmetric key enhancements - putback into build 74
• PSARC 2008/037 - new EKU support for pktool and kmfcfg - putback into build 85
• Bug 6621224 - KMF Dynamic Plugin Support - putack in build 80

All Recent bug/rfe putbacks

Key Management Framework

The goal of the project is to provide a unified set of interfaces (both programming APIs and administrative tools) for managing PKI objects in Solaris. Currently, there are at several different "keystore systems" that developers and administrators must choose when designing systems that employ PKI technologies - NSS, OpenSSL, and PKCS#11 are the 3 main choices for Solaris users. Each of these systems presents very different programming APIs and administrative tools and none of them has any sort of concept of a PKI policy enforcement system.

Details

KMF provides a generic interfaces that can be used to manipulate objects (keys, certificates) in all of the above mentioned keystores. The programming API layer is generic and allows the developer to specify which type of keystore is to be used. KMF will also provide plugin modules for each of the 3 systems so that new applications can be written to use any of the above keystores. A new management utility that will allow the administrator to manage PKI objects in all 3 keystores from a single utility, instead of learning 3 different utilities (openssl, certutil, pkutil).

Another unique feature of KMF is that it will provide a system-wide policy database that KMF applications can use to apply to applications, regardless of which type of keystore is being used. The administrator will be able to create policy definitions in a global database. KMF applications can then choose which policy they want to assert and then all subsequent KMF operations will behave according to the limitations of the policy being enforced. Policy definitions include rules for how validations is to be performed, key usage and extended key usage requirements, trust anchor definitions, OCSP parameters, and CRL DB parameters (location, etc).

Feature Summary

• Provide abstracted programming APIs for developing PKI applications
• Provide new administrative utility for managing PKI objects
• Provide new PKI policy database and enforcement system for PKI apps

More Information

• Source Code
• KMF Whitepaper (design document)
• KMF Overview Presentation slides
• Other Design whitepapers and presentations are available in the files section.
• Join the KMF mailing list

---

Announcements

27 Nov 2006	Key Management Framework putback
13 Mar 2006	Design Document Posted

Blogs

darren - printf should not SEGV when passed NULL for %s format

Jun 24, 10:14 AM

darren - Encrypting ZFS pools using lofi crypto

Jun 1, 3:00 AM

I'm running OpenSolaris 2009.06 on my laptop, soon I'll be running my own development bits of ZFS Crypto but I couldn't do that because OpenSolaris 2009.06 is based on build 111 but the ZFS crypto ...

darren - Running Privileged Applications in the OpenSolaris GNOME Desktop

Apr 8, 5:30 AM

gksu(1) says:      This manual page documents briefly gksu and gksudo      gksu is a frontend to su and gksudo is a frontend  to  sudo.      Their primary purpose is to run graphical commands that ...

darren - ZFS Crypto Update

Apr 2, 12:02 PM

I think I have everything from the "new world order" implemented now. Most of it is even working! Now 1404 lines smaller and much more functional! Summary of changes: IV now always in BP acros for IV ...

wyllys - TPM Support in Solaris

Mar 30, 11:36 AM

Solaris now has support for Trusted Platform Module (TPM) devices (as of build 112).  If you don't know what a TPM is or Trusted Computing is all about, I recommend visiting the Trusted Computing ...