OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Virtualizing the SO (Security Officer)

For on-line enrollments the SO concept doesn't really work.
If on-line enrollments is in scope for PKCS #11 you rather need a virtual (network-based) SO.

FWIW, in SKS/KeyGen2 the solution is as follows:

It is the USER that grants initial rights to key generation etc.
The ISSUER may during provisioning also specify a KMK (Key Management Key) which will be associated with generated keys in that SESSION.
Future sessions that target existing keys must then be AUTHORIZED with the proper KMK.
I call this concept VSD (Virtual Security Domain).



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]