RE: [pkcs11] Updated CKA_PUBLIC_KEY_INFO

["Burns, Robert" <Robert.Burns@thalesesec.com>]

Peter,

I think the term 'unusable' is a bit of hyperbole -- I'd bet if P11 were indeed 'unusable', we wouldn't be having this discussion.

P11 is quite clear in its usage requirements with respect to asymmetric operations:

* If you need to do public key operations, you need a public key object and handle to that object,
* If you need to do private key operations, you need a private key object and handle to that object,
* If you need to do both public and private key operations, you need both a public and private key object as well as handles to both objects.

It's pretty cut-and-dry -- and fairly usable, at least in my experience.

What you're describing is a use case which says, "I only have a private key object, how might I perform public key operations?"  I can honestly say that in my 16 years of dealing with application developers and customers, I have yet to have a single one say that it's a problem that they can't do public key operations with only a private key.

Now I do sense that you and Mike are pretty passionate about this and that you have real problems you're trying to solve for your customers, and I respect that.  I understand it's a real problem for you -- I get it.  I'm not trying to be a barrier to either of you personally, I just believe that the use case has a more elegant solution which should be explored and might be more fundamental than we have time for in a 2.40 release.  Bolting on a solution so we have a quick fix just doesn't feel right to me.

Furthermore, I'm quite comfortable with being wrong (just ask my wife!), so if I'm in the minority here, that's ok -- that's how these discussions are supposed to work -- we're free to express our opinions and thoughts and the group ultimately decides from there.  I've spoken my peace and I'll be happy with whatever the group decides -- honest.

So from a "put up or shut up" perspective, I say move for a vote on the proposal and we'll take it from there.  If it's approved, I'll advocate for adding it to the 'implement for our 2.40 p11 update'; if it's not, then I'm willing to help explore alternatives for a follow on 2.50/2.XX update.

Thanks for the dialog,

Bob

> -----Original Message-----
> From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz]
> Sent: Thursday, May 30, 2013 12:01 AM
> To: msj@nthpermutation.com; pgut001@cs.auckland.ac.nz; Burns, Robert
> Cc: pkcs11@lists.oasis-open.org
> Subject: RE: [pkcs11] Updated CKA_PUBLIC_KEY_INFO
> 
> "Burns, Robert" <Robert.Burns@thalesesec.com> writes:
> 
> >I have yet to hear an argument that this functionality is anything more
> >than a convenience for linking RSA keys to each other, to certificates,
> >and to allow for tokens to have only the private key instead of both
> >the private & public keys.  Is that a fundamental problem?  I think not.
> 
> How can having a token that's unusable be anything other than a
> fundamental problem?  If you can explain to me how I'm supposed to do
> anything at all with a token containing a DSA or ECDSA or whatever private
> key object then I'll happily drop my pushing for a SPKI.  Conversely, if you
> can't explain how to use said token then you can't claim that it's something
> that doesn't need fixing.
> 
> (I realise that this is a bit of a "put up or shut up", but it seems that everyone,
> and in particular application developers who need to use the PKCS
> #11 API, sees the need for this except you).
> 
> >And what will an application do if it is not supported by a token?
> 
> In my case I'll be telling my customers affected by this "don't use products
> from this vendor, since they're unusable for your needs".  It's pretty open-
> and-shut really.  If the vendors could put a label on their advertising "Our
> products essentially can't be used for DSA or ECDSA" that would make it
> easier of course, but I guess word will get around as to which ones do and
> don't work.
> 
> Peter.