[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] CKA_DESTROYABLE
I commented on this in my other response, but I'll pull out my comments here so discussion can happen in the right place. On 26.09.2013 21:20, Michael StJohns wrote: > I've started work on the 3.0 "protection attributes" section. As part > of that, I ended up writing a description of the CKA_DESTROYABLE > attribute - and that made me think about some interesting interactions > with CKA_TOKEN. > > I'm half thinking that we need to update the description of > CKA_DESTROYABLE for 2.4 as I don't think we covered this properly. > > (I've got CKA_DESTROYABLE as a sticky attribute with the sticky value > being CK_FALSE and the unset default value being CK_TRUE) > > Here's what I've written on this: > > > CKA_DESTROYABLE > > This attribute controls the use of the *C_DestroyObject* command on the > containing object. The command may only be used on the object if the > value of *CKA_DESTROYABLE* of the object being destroyed is set to > *CK_TRUE*. Sounds good. > If this attribute is set to *CK_FALSE*, then if the > *CKA_TOKEN *attribute is set to *CK_TRUE *(e.g. the object is a token > object), the object is persistent until the token is reinitialized > through a call to *C_InitToken*, or zeroized through non-PKCS11 means. > Otherwise, if the object is a session object, setting the attribute to > *CK_TRUE* causes the object to persist until the session is terminated. These sentences are confusing and/or uneccessary. When token is reinitialized or session is terminated objects are handled identically regardless of what CKA_DESTROYABLE is set to. The only difference is whether C_DestroyObject can be called, which you already noted in preceding text. > If a non-destroyable session object is changed to a token object, ... This text doesn't make sense. It is not possible to change an object from a token to a session object or vice versa. CKA_TOKEN is never modifiable. Cheers, Stef
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]