OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11] PKCS#11 Object Uniqueness error codes

On 15/07/2014 1:09 AM, Oscar So wrote:
> Perhaps, we can also set the CKA_ID during key generation where:
> C_GenerateKey
> CKA_ID = SHA1(symmetric key CKA_VALUE)
> C_GenerateKeyPair
> CKA_ID = SHA1(modulus) //this is how Mozilla set CKA_ID in
> Firefox/Thunderbird
> Hopefully, all CKA_ID(s) generated from the above method are unique.
> We can then compare all CKA_ID(s) value to determine when to return:

You can do this - but the CKA_ID itself is also not guaranteed to be
present or unique and there are devices which happily report multiple
objects with the same CKA_ID value.

We had quite a few discussions on this topic - the choices we faced are
to either add in a new attribute or change the explicitly documented
behaviour in the specification for one or more of the existing
attributes. Many vendors do this as one of their vendor-specific
extensions - but there is no currently defined requirement for this.

I for one would like to see a simple mandatory attribute added which was
the unique identifier (and not tied to anything other than the object
itself so any changes to attributes etc do not effect its value) - but
that wasn't something which made it into v2.40 ...


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]