OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11] pkcs11-global-objects.docx: CKA_GLOBAL

Thanks Michael, please see my questions at bottom of this email....

On 07/ 5/13 09:29 AM, Michael StJohns wrote:
On 7/3/2013 6:06 PM, Oscar K So Jr. wrote:
Thanks Michael.

I see. The CKA_GLOBAL has a larger scope than CKA_TOKEN.
CKA_TOKEN persist through session close.
CKA_GLOBAL persist through token re-InitToken.

And, one side comment here for C_InitToken that you mention, if user wish to rename a token label, going through CKM_SEAL_KEY...and etc, and then C_InitToken with a new token label, and restore (UnwrapKey..) whatever back into the token is also, consider another way of rename token. Just a longer way, but, it will work. :-)

Best,
Oscar



No.  It won't.  When you initialize zeroize a token, the previous seal keys are thrown away and any key material sealed by that seal key is no better than random bits.  When you re-initialize the token, you generate a new seal key - which basically CAN'T unwrap the previously sealed keys.


This is where I get confused.
I need more explanation here.

Q#4 (continue # from previous emails):

In pkcs11-cka-global.docx, you wrote:

" 1   Global Attribute Values

CKA_GLOBAL - CK_GLOBAL_TYPES

This attribute is used to identify objects that generally persist through reinitializations of individual tokens, but are created though token or driver action and not user action."

The statement, "objects (you meant: "wrapped objects") that generally persist through reinitializations of individual tokens", seems to have conflicts with your previous email which says, "When you initialize zeroize a token, the previous seal keys are thrown away".

The "thrown away" and "persist through reinitializations" are conflicting each other.

If the seal key is being "thrown away", how can we unwrap the "wrapped objects" after reinitialization of token ?
If we cannot, how can those "wrapper objects" "persist through reinitializations" ?

It is very important if you could draw two (2) state diagrams to explain the seal key life cycle:

a) when CKA_GLOBAL != CKV_NOT_GLOBAL
    when was the seal key get created, where stored, and destroyed ?

b) when CKA_GLOBAL == CKV_NOT_GLOBAL
    when was the seal key get created, where stored, and destroyed ?


Q#5:
How many seal key can you have per token ?
If you can have more than one, how do you know which seal key is used to wrap which object ?

Thanks!

-- 

Best,
Oscar

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]