OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pkcs11] Re: CKA_GLOBAL and uniqueness


On 7/5/2013 6:02 AM, Stef Walter wrote:
On 05.07.2013 06:14, Oscar K So Jr. wrote:
On 07/ 4/13 08:17 AM, Stef Walter wrote:
CKA_GLOBAL is not a boolean, but an enumeration. This means it's hard to
C_FindObjectsInit() for all global objects. If it were a pair of boolean
attributes you could search for CKA_GLOBAL = CK_TRUE.
Yeah, I agree with Stef.
But, where do we set these ?


No.  See my other email. But basically consider;

CKA_IS_KEY = TRUE vs searching for CKA_CLASS == CKO_PUBLIC_KEY, CKO_PRIVATE_KEY and CKO_SECRET_KEY.

One of the more useful things to be able to do is search for all the keys on a token. To do that we could have defined a CKA_IS_KEY boolean, but we didn't. Instead, we have to either search for all objects and then winnow them down, or search for classes of keys as three separate calls: secret, private and public.

If you at sometime want to add a read-only CKA_IS_GLOBAL boolean along with a CKA_IS_KEY boolean to all objects, then that can be done at a later time, and we should consider what other class search booleans should also be added. I don't think it makes a lot of sense to do it though as there are other ways to get the result you want and the "search for all globals" action is going to be pretty rare for operational code.

Mike



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]