Re: [pkcs11] CKA_DESTROYABLE

[Stef Walter <stefw@redhat.com>]

I commented on this in my other response, but I'll pull out my comments
here so discussion can happen in the right place.

On 26.09.2013 21:20, Michael StJohns wrote:
> I've started work on the 3.0 "protection attributes" section.  As part
> of that, I ended up writing a description of the CKA_DESTROYABLE
> attribute - and that made me think about some interesting interactions
> with CKA_TOKEN.
> 
> I'm half thinking that we need to update the description of
> CKA_DESTROYABLE for 2.4 as I don't think we covered this properly.
> 
> (I've got CKA_DESTROYABLE as a sticky attribute with the sticky value
> being CK_FALSE and the unset default value being CK_TRUE)
> 
> Here's what I've written on this:
> 
> 
>         CKA_DESTROYABLE
> 
> This attribute controls the use of the *C_DestroyObject* command on the
> containing object.  The command may only be used on the object if the
> value of *CKA_DESTROYABLE* of the object being destroyed is set to
> *CK_TRUE*.  

Sounds good.

> If this attribute is set to *CK_FALSE*, then if the
> *CKA_TOKEN *attribute is set to *CK_TRUE *(e.g. the object is a token
> object), the object is persistent until the token is reinitialized
> through a call to *C_InitToken*, or zeroized through non-PKCS11 means. 
> Otherwise, if the object is a session object, setting the attribute to
> *CK_TRUE* causes the object to persist until the session is terminated.

These sentences are confusing and/or uneccessary. When token is
reinitialized or session is terminated objects are handled identically
regardless of what CKA_DESTROYABLE is set to. The only difference is
whether C_DestroyObject can be called, which you already noted in
preceding text.

> If a non-destroyable session object is changed to a token object, ...

This text doesn't make sense. It is not possible to change an object
from a token to a session object or vice versa. CKA_TOKEN is never
modifiable.

Cheers,

Stef