diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-12-29 21:24:15 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-12-29 21:24:15 +0200 |
| commit | 05cf15edd2dac479b0eeb0fc26b33c1b9663b94e (patch) | |
| tree | 7e490eb06c2bc6f9cec7acfb78608d3f8d610256 | |
| parent | 6e1f1f28325a352a8946a74a0ad16e3f17f26335 (diff) | |
| download | gnutls-05cf15edd2dac479b0eeb0fc26b33c1b9663b94e.tar.gz | |
more updates
| -rw-r--r-- | doc/cha-cert-auth.texi | 16 | ||||
| -rw-r--r-- | doc/cha-cert-auth2.texi | 36 | ||||
| -rw-r--r-- | doc/cha-programs.texi | 14 |
3 files changed, 27 insertions, 39 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 924b2b3563..03748bc4ed 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -2,22 +2,18 @@ @chapter Certificate authentication @cindex certificate authentication -@menu -* Introduction:: -* X.509 certificates:: -* OpenPGP certificates:: -* Digital signatures:: -@end menu - -@node Introduction -@section Introduction - The most known authentication method of @acronym{TLS} are certificates. The PKIX @xcite{PKIX} public key infrastructure is daily used by anyone using a browser today. @acronym{GnuTLS} supports both @acronym{X.509} certificates @xcite{PKIX} and @acronym{OpenPGP} certificates using a common API. +@menu +* X.509 certificates:: +* OpenPGP certificates:: +* Digital signatures:: +@end menu + @node X.509 certificates @section @acronym{X.509} certificates @cindex X.509 certificates diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi index b4f2fd0c49..3036bc78a7 100644 --- a/doc/cha-cert-auth2.texi +++ b/doc/cha-cert-auth2.texi @@ -2,12 +2,17 @@ @chapter More on certificate authentication @cindex certificate authentication +Certificates are not the only structures involved in a public key +infrastructure. Several other structures that are used for certificate +requests, encrypted private keys, revocation lists, GnuTLS abstract key +structures, etc., are discussed in this chapter. + @menu * PKCS 10 certificate requests:: * PKIX certificate revocation lists:: * Managing encrypted keys:: * The certtool application:: -* Hardware tokens:: +* Smart cards and HSMs:: * Abstract key types:: @end menu @@ -117,7 +122,7 @@ CRL number extension and the authority key identifier. Transferring or storing private keys in plain might not be a good idea. Any access on the keys becomes a fatal compromise. -Storing the keys in hardware tokens (see @ref{Hardware tokens}) +Storing the keys in hardware security modules (see @ref{Smart cards and HSMs}) could solve the storage problem but it is not always practical or efficient enough. This section describes alternative ways that involve encryption of the private keys to store and @@ -514,25 +519,14 @@ signing_key @end example -@node Hardware tokens -@section Security modules +@node Smart cards and HSMs +@section Smart cards and HSMs @cindex PKCS #11 tokens @cindex hardware tokens @cindex hardware security modules @cindex smart cards -@menu -* Introduction on security modules:: -* PKCS11 Initialization:: -* Reading objects:: -* Writing objects:: -* Using a PKCS11 token with TLS:: -* The p11tool application:: -@end menu - -@node Introduction on security modules -@subsection Introduction -In this section we present the smart-card and hardware security module support +In this section we present the smart-card and hardware security module (HSM) support in @acronym{GnuTLS} using @acronym{PKCS} #11 @xcite{PKCS11}. Hardware security modules and smart cards provide a way to store private keys and perform operations on them without exposing them. This allows decoupling cryptographic @@ -563,6 +557,14 @@ system, being the @acronym{Gnome Keyring}. @caption{PKCS #11 module usage.} @end float +@menu +* PKCS11 Initialization:: +* Reading objects:: +* Writing objects:: +* Using a PKCS11 token with TLS:: +* The p11tool application:: +@end menu + @node PKCS11 Initialization @subsection Initialization To allow all the @acronym{GnuTLS} applications to access @acronym{PKCS} #11 tokens @@ -687,7 +689,7 @@ p11tool is a program that is used to access tokens and security modules that support the PKCS #11 API. It requires individual PKCS #11 modules to be loaded either with the @code{--provider} option, or by setting up the GnuTLS configuration -file for PKCS #11 as in @ref{Hardware tokens}. +file for PKCS #11 as in @ref{Smart cards and HSMs}. @example p11tool help diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi index 42cb4a90ba..ece704998c 100644 --- a/doc/cha-programs.texi +++ b/doc/cha-programs.texi @@ -73,12 +73,7 @@ Usage: gnutls-cli [options] hostname -v, --version prints the program's version number @end example -@menu -* Example client PSK connection:: -@end menu - -@node Example client PSK connection -@subsection Example client PSK connection +@subheading Example client PSK connection @cindex PSK client To connect to a server using PSK authentication, you need to enable @@ -164,12 +159,7 @@ Usage: gnutls-serv [options] -v, --version prints the program's version number @end example -@menu -* Setting up a test HTTPS server:: -@end menu - -@node Setting up a test HTTPS server -@subsection Setting up a test HTTPS server +@subheading Setting up a test HTTPS server @cindex HTTPS server @cindex debug server |