Re: [libvirt] [PATCHv3 1/5] smartcard: add XML support for <smartcard> device

["Daniel P. Berrange" <berrange redhat com>]

On Tue, Jan 25, 2011 at 05:36:54PM -0700, Eric Blake wrote:
> +    <dl>
> +      <dt><code>mode='host'</code></dt>
> +      <dd>The simplest operation, where the hypervisor relays all
> +      requests from the guest into direct access to the host's
> +      smartcard via NSS.  No other attributes or sub-elements are
> +      required.  However, in cases where extra permissions must be
> +      granted to the hypervisor to access the host's smartcard device,
> +      an optional <code>&lt;source
> +      dev='/path/to/smartcard'/&gt;</code> element is supported.
> +      Also, see below about the use of an
> +      optional <code>&lt;address&gt;</code> sub-element.</dd>

Based on the mail about pcscd, we don't want a device path here
after all.

> +      <dt><code>mode='host-certificates'</code></dt>
> +      <dd>Rather than requiring a smartcard to be plugged into the
> +      host, it is possible to provide three files residing on the host
> +      and containing NSS certificates.  These certificates can be
> +      generated via the command <code>certutil -d /etc/pki/nssdb -x -t
> +      CT,CT,CT -S -s CN=cert1 -n cert1</code>, and the resulting three
> +      files must be supplied as the content of each of
> +      three <code>&lt;certificate&gt;</code> sub-elements.  An
> +      additional sub-element <code>&lt;database&gt;</code> can specify
> +      an additional file to use as the database.</dd>

What does the 'database' do ? This concept is somewhat specific
to the NSS library afaict - other crypto libraries don't have a
database like this.

Should we also have 'database' for the 'host' mode if we need one ?

Regards,
Daniel