OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11-comment] Need more details on CKA_TRUSTED for keys

My understanding is that keys generated by the normal user must have
CKA_TRUSTED FALSE; the SO can generate keys with CKA_TRUSTED TRUE, or
use C_SetAttributeValue to set it TRUE on an existing key.

It's been some years since I was involved in PKCS#11 development though.

(A related question is whether the SO can use objects with CKA_PRIVATE
TRUE, or whether "a user may not access the object until the user has
been authenticated to the token" means authenticated as the normal
user who "owns" the object. If not, then CKA_PRIVATE objects can't
ever be trusted. I suspect this is implementation dependent.)

On 26 September 2017 at 19:03, girish kumar <girishbangaram@gmail.com> wrote:
> Hi All,
> I am looking to seek clarifications for the CKA_TRUSTED attributes for the
> keys. As per the specification, I understood that the CKA_TRUSTED can be set
> only by the SO user.
> Does this means, CKA_TRUSTED can not be set to TRUE when generating the key
> and can be set explicitly by SO only using C_SetAttributeValue.
> Or does this mean the value of CKA_TRUSTED can be changed from FALSE to TRUE
> by SO only and can be set to any value during key generation.
> Any help in clarifying the above will be highly appreciated.
> --
> Regards,
> Girish


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]