[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Updated CKA_PUBLIC_KEY_INFO
On 5/29/2013 8:19 PM, Burns, Robert
wrote:
Mike,What I just heard you say was: "If it was good enough for granddad, it's good enough for me". There are a lot of things that were never implied by PKCS11 v2.0 that are in V2.10, V2.20 and V2.30. If the current spec were perfect, we wouldn't be having this discussion.
I get the feeling that you missed the earlier discussion. There are something like 5 or 6 different types of public key pairs defined in PKCS11. Each of them has a distinct set of data that comprises a private key. I had two choices - leave the data format undefined for CKA_PUBLIC_KEY_INFO in the general case and go back for each and every key type and specify a format specific to that key type, OR specify CKA_PUBLIC_KEY_INFO as a SubjectPublicKeyInfo blob as the general case which meant that the rest of the definitions came in by reference. I did the latter as being "cleaner" and being applicable for all key pair types. What Peter originally proposed (See a message dated 4/2 subject "info for OASIS...") was to use C_DeriveKey with a mechanism CKM_GET_PUBLIC_KEY. That message and subsequent explains how we got to CKA_PUBLIC_KEY_INFO and why. If you would prefer one of the other options we discussed, feel free to write it up.
Got that - but those appear to be style comments rather than technical comments. not sure it's necessary (e.g. what customers have a system which requires public attributes but only have the private key???? seems like a broken system to me), Um. you mean public keys but only have the private key? Keep in mind that the creator of the token may not be the client that actually uses the token. Also consider something like a TPM which doesn't actually store the public key for a key pair in an object separate from the private key (you can extract the public key from the private key and use it as a separate object, but the generate key pair function only generates the single private key object). I wouldn't consider that broken. and if it is, the solution should be implemented at a more fundamental/architectural level so as to apply more universally across the objects, rather than just for a private key (e.g. new object type like KeyPair?, or adding all public attributes to private objects so they can be read?, or creating a 'Collection' object type where objects can be intrinsically grouped in a single reference?, etc. -- just some 'for example' thoughts). This seems like "If I can't do everything, I'm not going to do anything" sort of argument. If you have specific proposals rather than "but how about this" comments, it would be helpful if you actually made them, even if they might be deferred to 3.0.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]