On Tue, Jan 25, 2011 at 05:36:54PM -0700, Eric Blake wrote: > + <dl> > + <dt><code>mode='host'</code></dt> > + <dd>The simplest operation, where the hypervisor relays all > + requests from the guest into direct access to the host's > + smartcard via NSS. No other attributes or sub-elements are > + required. However, in cases where extra permissions must be > + granted to the hypervisor to access the host's smartcard device, > + an optional <code><source > + dev='/path/to/smartcard'/></code> element is supported. > + Also, see below about the use of an > + optional <code><address></code> sub-element.</dd> Based on the mail about pcscd, we don't want a device path here after all. > + <dt><code>mode='host-certificates'</code></dt> > + <dd>Rather than requiring a smartcard to be plugged into the > + host, it is possible to provide three files residing on the host > + and containing NSS certificates. These certificates can be > + generated via the command <code>certutil -d /etc/pki/nssdb -x -t > + CT,CT,CT -S -s CN=cert1 -n cert1</code>, and the resulting three > + files must be supplied as the content of each of > + three <code><certificate></code> sub-elements. An > + additional sub-element <code><database></code> can specify > + an additional file to use as the database.</dd> What does the 'database' do ? This concept is somewhat specific to the NSS library afaict - other crypto libraries don't have a database like this. Should we also have 'database' for the 'host' mode if we need one ? Regards, Daniel -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list