OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11] pkcs11-global-objects.docx: CKA_GLOBAL

On 7/3/2013 6:06 PM, Oscar K So Jr. wrote:
Thanks Michael.

I see. The CKA_GLOBAL has a larger scope than CKA_TOKEN.
CKA_TOKEN persist through session close.
CKA_GLOBAL persist through token re-InitToken.

And, one side comment here for C_InitToken that you mention, if user wish to rename a token label, going through CKM_SEAL_KEY...and etc, and then C_InitToken with a new token label, and restore (UnwrapKey..) whatever back into the token is also, consider another way of rename token. Just a longer way, but, it will work. :-)

Best,
Oscar



No.  It won't.  When you initialize zeroize a token, the previous seal keys are thrown away and any key material sealed by that seal key is no better than random bits.  When you re-initialize the token, you generate a new seal key - which basically CAN'T unwrap the previously sealed keys.

That explanation is with the description of what seal keys are - pkcs11-global-objects.docx - on the pkcs11 doc store.

Mike




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]