[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Register PKCS12 cogitations
Since my post from an hour ago has yet to hit the mailing list, I'm trying this alternative approach, apologies for spamming...here's what I originally sent... A couple of points regarding my P12 work item out of the recent F2F. 1) We may have overlooked a useful additional attribute for both Registering and Getting pkcs12 objects. Some of potential consumers of pkcs12, like say Tomcat, for instance, expect their private key to be found using a particular alias (in Java terms) or FriendlyName (-name in OpenSSL terms). We don't have a way to specify on a Get what should be used for a name/alias in the generation of the pkcs12, nor on the Register which name/alias should be used. So Tomcat couldn't directly consume the output of the KMIP Get pkcs12, as it expects to see an alias of "tomcat" and the KMIP spec is silent about what alias should be produced, if any. I would propose adding such an attribute, named PKCS_12FriendlyName, single-value text string. It could be recorded on the PrivateKey object when Registering, and then would be used for the production of the pkcs12 blob on a Get. An alternative to this proposal, would be to use the lowest index of an AlternativeName that is a text string, but that's abusing AlternativeName a bit. 2) The SecretData object that is used for decrypting key objects and validating the integrity of the pkcs12 blob...should this be required to have a Cryptographic Usage Mask of Derive (keys are being derived from the password) and be in an Active state? I think the answers to both questions are "yes". Regards, Bruce Rich
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]