[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11-comment] Need more details on CKA_TRUSTED for keys
My understanding is that keys generated by the normal user must have CKA_TRUSTED FALSE; the SO can generate keys with CKA_TRUSTED TRUE, or use C_SetAttributeValue to set it TRUE on an existing key. It's been some years since I was involved in PKCS#11 development though. (A related question is whether the SO can use objects with CKA_PRIVATE TRUE, or whether "a user may not access the object until the user has been authenticated to the token" means authenticated as the normal user who "owns" the object. If not, then CKA_PRIVATE objects can't ever be trusted. I suspect this is implementation dependent.) On 26 September 2017 at 19:03, girish kumar <girishbangaram@gmail.com> wrote: > Hi All, > I am looking to seek clarifications for the CKA_TRUSTED attributes for the > keys. As per the specification, I understood that the CKA_TRUSTED can be set > only by the SO user. > > Does this means, CKA_TRUSTED can not be set to TRUE when generating the key > and can be set explicitly by SO only using C_SetAttributeValue. > Or does this mean the value of CKA_TRUSTED can be changed from FALSE to TRUE > by SO only and can be set to any value during key generation. > > Any help in clarifying the above will be highly appreciated. > > -- > Regards, > Girish -- alan.braggins@gmail.com http://www.chiark.greenend.org.uk/~armb/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]