[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: CKM_SEAL_KEY used with CKA_COPYABLE =false and/or CKA_EXTRACTABLE = false
How does CKM_SEAL_KEY interact with CKA_COPYABLE. It seems like CKM_SEAL_KEY can be used to get around CKA_COPYABLE. It may be that C_UnwrapKey + CKM_SEAL_KEY refuse unwrap a sealed key when that key already exists on the token. In any case, it be defined in the proposal after discussion. Secondly, there is no clear guidance on what kind of CKO_SECRET_KEY can be used with CKM_SEAL_KEY. Since CKM_SEAL_KEY can operate on keys with CKA_EXTRACTABLE = CK_FALSE, unless the sealing key meets at least all of the following, CKM_SEAL_KEY can be used to circumvent token security: * CKA_NEVER_EXTRACTABLE * CKA_LOCAL * A strong key (ie: not DES) I believe this latter point was brought up in our discussion on the phone last week. Have you come up with a solution for this? Cheers, Stef
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]