Renamed to docs for consistency with other packages.

1 files changed, 0 insertions, 223 deletions

diff --git a/doc/notes b/doc/notes
deleted file mode 100644
index eaa6e5b..0000000
--- a/doc/notes
+++ /dev/null
@@ -1,223 +0,0 @@
-                       Wallet Implementation Notes
-
-Introduction
-
-    Collected here are implementation notes about design decisions,
-    external interfaces, integration, internal structure, and related
-    issues.  This document will mostly be of interest to people who want
-    to modify the wallet code or who are curious about its design.  This
-    is not user documentation or protocol specifications; see elsewhere
-    for that.
-
-Server Issues
-
-  Interface
-
-    We need two interfaces for retrieving items, one which retrieves the
-    current stored item and one which generates a new item.  This
-    particularly applies to keytabs.  We also don't want new keytabs to be
-    generated for certain keys even by accident without an explicit action
-    taken, but for most keytabs we want to generate new keys each time.
-    So we need an interface like:
-
-    get keytab
-
-      Generates a new keytab normally, but retrieves the existing keytab
-      if we've marked the key as unchanging.
-
-    flag unchanging
-    flag -unchanging
-
-      Change the state to generate new keytabs each time or always try to
-      pull the existing key.  This operation should probably be
-      privileged.
-
-    So if you want to generate a new key for a keytab that would otherwise
-    be persistant, mark it changing, download the new key, and then mark
-    it unchanging again.
-
-    Possibly need to do something about occasionally changing keys of
-    keytabs that are otherwise marked unchanging, or we're going to open
-    ourselves to brute force attacks.
-
-  ACL Management
-
-    Supported operations are:  get, store, create (triggered by a get or
-    store of something that didn't already exist), delete, show, and
-    setting or clearing flags.  Each of these need a separate ACL
-    potentially.  Not sure if we're going to need separate ACLs for each
-    flag operation.
-
-    Administrators get implicit access to do anything.  There does need to
-    be an ACL on create, but that should probably be implemented per
-    backend class (keytabs and certs will use NetDB roles, files will use
-    some namespace limitation based on a separate table, etc.).  There may
-    also need to be a class-specific fallback when no ACL is set to deal
-    with, for instance, ACL management via NetDB roles for systems that
-    have no more specific ACL.
-
-    Owner rights provides get, store, and show, but not delete or setting
-    or clearing flags (not delete because it's too destructive and we
-    don't want it done accidentally).  This can be overridden by more
-    precise ACL settings.  So the ACL logic would go like this:
-
-     * If the user is an administrator, operation is permitted.
-
-     * Otherwise, check the object.  If it exists and has a setting for
-       that specific ACL, apply that ACL.
-
-     * If the object exists but with no specific ACL setting and the
-       operation is one of get, store, or show, apply the owner ACL.
-
-     * If there is no listed owner ACL, punt to the backend and see if it
-       can apply a default ACL.
-
-     * If the object doesn't exist, punt to the backend, which will do its
-       own ACL check against backend-specific rules.
-
-    I think the owner abstraction is worth it over just setting the ACL
-    for get, store, and show.
-
-    We also need to provide an interface to manage certain types of ACLs,
-    in particular the krb5-group ACL scheme, at least in the short term
-    until we standardize on using LDAP for all of those ACLs.  We're
-    probably going to continue to use krb5-group ACLs for the forseeable
-    future in at least some cases, since we'll want to be able to do
-    things when LDAP or AFS is down or we'll want a higher level of
-    security than either can ensure.
-
-  Flags
-
-    locked      --  No operations permitted except show
-    unchanging  --  Pull existing value from file store
-
-    For backends like secure files, all values are unchanging implicitly,
-    but I don't think we should represent this by setting flags on every
-    instance of those backends; it's just confusing and doesn't provide
-    more information.
-
-  Expiration
-
-    The database has a field to store an expiration date for every object.
-    We can implement expiration methods in the backend to automatically
-    delete some objects (or perhaps lock them) when they pass their
-    expiration date, but a more useful method might be to provide warnings
-    when objects are about to expire via warning methods for a backend
-    that take the object name and the expiration date.  This would be
-    great for certificates, for instance.
-
-  Keytab Backend
-
-    As of the deployment of the wallet, we want to stop limiting nearly
-    all keytabs from being forced to single DES keys.  We're probably
-    still going to have some keys for which only particular enctypes are
-    permitted, however.  This means keeping a side table of allowable
-    enctypes per keytab name, where if there are no entries in the table
-    we allow any enctype.  We can pass a list of enctypes into kadmin when
-    doing the principal creation or randomization, separated by spaces and
-    enclosed in double quotes.
-
-    When creating a new principal with addprinc, pass the -clearpolicy
-    flag.  Otherwise, the principal will be placed in the default policy
-    and will be subject to password strength checking, and the initial
-    password used with -randkey will fail.
-
-    Whenever we generate a new keytab, we may need to push the key into
-    K4.  We could make the client send a flag saying whether they want
-    synchronization with K4, but it's easier to just always do it (except
-    maybe for some exception cases).  The user doesn't have to ask the
-    client program for the srvtab if they don't want it, and it doesn't
-    hurt to create the KDC entry.
-
-    This means that we need the gen_srvtab program from the old srvtab
-    backend on the server end to push the key into K4.  That program
-    already has the capability to take a srvtab containing the DES key and
-    push it into the K4 database.  It could probably stand some cleanup
-    and simplification for inclusion in the wallet source.  I'm probably
-    going to rename it to k4changekey or something similar in the process.
-
-  Certificate Creation
-
-    We probably want to handle all requested certificates from Comodo
-    using this interface since we can use its expiration handling to do
-    warnings and since that way users can re-download the certificate any
-    time they want.  Certificates are actually pairs of certificate and
-    key, though, and we need to figure out what we're storing.  There is
-    the key, which we want to be able to store but we don't really do
-    anything with (except ideally it's associated with a certificate),
-    there's the CSR (which we could reuse for renewals although that
-    doesn't get people to change their key), and there's the certificate
-    itself (which is actually public data).  Should there be some method
-    for someone to request that their previous CSR be reused to request a
-    new Comodo certificate?  Maybe more work than needed.
-
-  Cleanup of Old Entries
-
-    We should periodically scan the wallet for host-based entries for hosts
-    that aren't in NetDB.  Rather than removing them immediately, wait
-    until we haven't seen the host for several consecutive passes and then
-    purge them.  Send notification of the hosts that are being purged (and
-    maybe of the hosts that will be purged soon if nothing happens).
-
-Client Issues
-
-  Command-Line Options
-
-    Some of the specific data types are going to need their own flags to
-    operations like get.  As an example, the keytab get operation will
-    need an optional flag to specify the srvtab file to which to also
-    write the key, and will need an optional flag specifying the time
-    delta at which old kvnos should be pruned from the keytab.  These
-    flags need to be globally unique in the wallet client so that we can
-    use a naive option parser, although at least for starters we'll
-    probably require that all the options be given after the operation.
-
-  Keytab Handling
-
-    The server is going to hand the client a keytab that contains the
-    current keys for the given service.  Unless the keytab was marked as
-    unchanging, these entries will have a higher kvno than any keys
-    already in the keytab on the local system.
-
-    The only interfaces to read keytabs require a file, so the client will
-    need to save the keytab to a temporary file in order to extract
-    individual keys.  If there is no keytab on the local system in the
-    path given to the wallet, this is simple; just write the keytab as
-    returned by the server into the file.
-
-    If the keytab already exists, we want the following behavior:
-
-     * Add the keys from the new keytab.
-
-     * Retain in the keytab keys for the previous kvno, but not for any
-       older kvno older than the maximum lifetime of Kerberos tickets.  So
-       scan the keytab for keys with an older kvno and a timestamp older
-       than one day (maybe make it a week just in case) and delete them.
-       (Possibly make this configurable.)
-
-     * Delete any keys in the keytab matching the current kvno, just to be
-       sure we don't get any strange issues.
-
-    We want to try to add the new keys first to minimize the outage window
-    where service tickets handed out by the KDC aren't recognized by the
-    host.  Adding the keys does just append them to the end, but we
-    probably have to clean out any keys with the same kvno first.  That's
-    a rare case, so I don't think we have to worry about the outage window
-    there.
-
-  Srvtab Handling
-
-    If a srvtab was requested, we search for the key in the new keytab
-    that has an enctype of ENCTYPE_DES_CBC_CRC and then write it out to a
-    srvtab file.  The MIT Kerberos library doesn't support writable
-    srvtabs in the keytab backend, so we roll that ourselves.
-
-    Look at src/lib/krb5/keytab/kt_srvtab.c in the MIT Kerberos source for
-    the format of a srvtab file (see the end of that file).
-
-    The kvno that we get from K5 may have no bearing on the kvno in K4.
-    In order to get the K4 kvno, use the new key to obtain a K4 service
-    ticket for ourselves and then read the kvno off that service ticket.
-    There are other approaches, but the other approaches all require
-    changes to the server side as well, whereas this is self-contained in
-    the client and can be more easily dropped when we drop K4.