[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pkcs11] Updated CKA_PUBLIC_KEY_INFO
Peter, I think the term 'unusable' is a bit of hyperbole -- I'd bet if P11 were indeed 'unusable', we wouldn't be having this discussion. P11 is quite clear in its usage requirements with respect to asymmetric operations: * If you need to do public key operations, you need a public key object and handle to that object, * If you need to do private key operations, you need a private key object and handle to that object, * If you need to do both public and private key operations, you need both a public and private key object as well as handles to both objects. It's pretty cut-and-dry -- and fairly usable, at least in my experience. What you're describing is a use case which says, "I only have a private key object, how might I perform public key operations?" I can honestly say that in my 16 years of dealing with application developers and customers, I have yet to have a single one say that it's a problem that they can't do public key operations with only a private key. Now I do sense that you and Mike are pretty passionate about this and that you have real problems you're trying to solve for your customers, and I respect that. I understand it's a real problem for you -- I get it. I'm not trying to be a barrier to either of you personally, I just believe that the use case has a more elegant solution which should be explored and might be more fundamental than we have time for in a 2.40 release. Bolting on a solution so we have a quick fix just doesn't feel right to me. Furthermore, I'm quite comfortable with being wrong (just ask my wife!), so if I'm in the minority here, that's ok -- that's how these discussions are supposed to work -- we're free to express our opinions and thoughts and the group ultimately decides from there. I've spoken my peace and I'll be happy with whatever the group decides -- honest. So from a "put up or shut up" perspective, I say move for a vote on the proposal and we'll take it from there. If it's approved, I'll advocate for adding it to the 'implement for our 2.40 p11 update'; if it's not, then I'm willing to help explore alternatives for a follow on 2.50/2.XX update. Thanks for the dialog, Bob > -----Original Message----- > From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] > Sent: Thursday, May 30, 2013 12:01 AM > To: msj@nthpermutation.com; pgut001@cs.auckland.ac.nz; Burns, Robert > Cc: pkcs11@lists.oasis-open.org > Subject: RE: [pkcs11] Updated CKA_PUBLIC_KEY_INFO > > "Burns, Robert" <Robert.Burns@thalesesec.com> writes: > > >I have yet to hear an argument that this functionality is anything more > >than a convenience for linking RSA keys to each other, to certificates, > >and to allow for tokens to have only the private key instead of both > >the private & public keys. Is that a fundamental problem? I think not. > > How can having a token that's unusable be anything other than a > fundamental problem? If you can explain to me how I'm supposed to do > anything at all with a token containing a DSA or ECDSA or whatever private > key object then I'll happily drop my pushing for a SPKI. Conversely, if you > can't explain how to use said token then you can't claim that it's something > that doesn't need fixing. > > (I realise that this is a bit of a "put up or shut up", but it seems that everyone, > and in particular application developers who need to use the PKCS > #11 API, sees the need for this except you). > > >And what will an application do if it is not supported by a token? > > In my case I'll be telling my customers affected by this "don't use products > from this vendor, since they're unusable for your needs". It's pretty open- > and-shut really. If the vendors could put a label on their advertising "Our > products essentially can't be used for DSA or ECDSA" that would make it > easier of course, but I guess word will get around as to which ones do and > don't work. > > Peter.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]