Thanks Michael.
I see. The CKA_GLOBAL has a larger scope than CKA_TOKEN.
CKA_TOKEN persist through session close.
CKA_GLOBAL persist through token re-InitToken.
And, one side comment here for C_InitToken that you mention, if user
wish to rename a token label, going through CKM_SEAL_KEY...and etc,
and then C_InitToken with a new token label, and restore
(UnwrapKey..) whatever back into the token is also, consider another
way of rename token. Just a longer way, but, it will work. :-)
Best,
Oscar
On 07/ 3/13 02:21 PM, Michael StJohns wrote:
On 7/3/2013 3:23 AM, Oscar K So Jr.
wrote:
Michael,
What does CKA_GLOBAL really means ?
For example, does it mean that when PKCS#11 object with
CKA_GLOBAL=
<whatever value>, such PKCS#11 object can be "operated"
within the tokens under one HSM ?
Sorry - I'm having problems understanding what you mean by the
question. Let me take a try at it.
CKA_GLOBAL is just another classifier attribute - probably closest
to CKA_CLASS in the way it might be used. Existing token objects
are all within the domain of the token user (e.g. they go away
when the token is re-initialized, or when the session ends). This
provides a marker mechanism to mark objects with scope that's
closer to the token implementation rather than to a specific token
instantiation (e.g. to associate them with the life cycle between
manufacture and destruction rather than the part of the life cycle
between calls to C_InitToken and C_Zeroize).
If you look at the documentation for the Trusted Platform Module
you'll see descriptions of keys and objects that belong to the TPM
rather than to any individual using the TPM (e.g. the Endorsement
Key and the EK Certificate, the platform certificate, etc). There
is no current way in PKCS11 of getting similar semantics or
objects.
Mike
Thanks,
Oscar
On 06/26/13 02:45 PM, Michael StJohns wrote:
Submitter's message
This was formerly section 2 of pkcs11-global-values-v2.docx.
It consists of a description of some number of objects that
might be created using the CKA_GLOBAL convention.
This is not an active proposal at this time. If CKA_GLOBAL is
approved and either CKM_SEAL_KEY or CKM_CERTIFY_KEY are
approved as a work item, sections of this document will be
proposed as pseudo-objects for inclusion in the spec.
-- Michael StJohns
Document Name:
pkcs11-global-objects.docx
Description
This was formerly section 2 of
pkcs11-global-values-v2.docx. It consists
of a description of some number of objects that might
be created using the
CKA_GLOBAL convention.
Download
Latest Revision
Public
Download Link
Submitter:
Michael StJohns
Group: OASIS PKCS 11 TC
Folder: Working Drafts
Date submitted: 2013-06-26 14:44:59
|
--
Best,
Oscar
--
Best,
Oscar
|