[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Groups - Proposal for Secure Key Import using an RSA key uploaded
On 13/06/2013 7:24 AM, Robert Relyea wrote:
Wrapping of private keys are specified generically in Section 12.6 "Wrapping/Unwrapping Private Keys" (version 3.20, section 12.11 in PKCS #11 3.11, section 6.5 in PKCS #11 Mechanisms 2.30 draft 7). They are wrapped in PKCS #8. NSS depends on this because it puts the resulting wrapped key directly into a PKCS #12 bag.
And what will NSS do if it gets a PKCS#8 with a set of attributes contained in it which reference an unknown OID arc?
Without defining a way to carry the attributes between tokens the wrapping mechanism is not going to achieve what MikeS is looking for as I understand it - which is cross-vendor export and import of keys retaining their PKCS#11 attributes.
This is basically two proposals wrapped into one:
- wrap using a temporary AES key saving some steps in what can already be done
- carry the PKCS11 attributes across in the wrapped format