Digest attribute clarification

[Mathias Bjoerkqvist1 <MBJ@zurich.ibm.com>]

All,

Some questions and concerns have come
up regarding the Digest attribute. We discussed the topic on last week's
interop call, but it seems that this is an issue for the whole TC.

It is unclear how to calculate the Digest
value for a key where the Key Material is a structure, e.g. for transparent
keys.

A client may currently register an RSA
private key in transparent form on a server, and the server may calculate
the digest on e.g. the PKCS#1 byte string representation of the key or
the TTLV-encoded Key Material structure of the key. From an interoperability
perspective the result should be predictable. A Key Format Type field could
be added to the Digest attribute, and if the key format type indicates
that the Key Material is a Structure, then we could require the Digest
to be calculated on the TTLV-encoding of the Key Material structure.

Aspects to consider are also how the
digest is to be used. If it is only for server-internal use (e.g. not allowing
more than one copies of the same key in the system), then there might not
be a need to specify this further in the protocol. If we want a key registered
on two systems to have the same digest, something more is needed. And what
if the same key is registered in two different format, should the digest
still be the same?

Actual use-cases for the Digest attribute
would be very helpful in clarifying the behavior and functionality of the
attribute.


Best Regards,
Mathias