OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11] PKCS#11 Object Uniqueness error codes

The uniqueness can only be applied to a set of defined domains or a centralized server that generates CKA_ID and all application must go through this server. For example, the CKA_ID can only be guaranteed to be unique within these 3 servers. 

Currently, one CKA_ID is tied to all of the below objects:
CKO_PUBLIC_KEY
CKO_PRIVATE_KEY
CKO_CERTIFICATE
CKO_PASSWORD
So, a new attribute, CKA_UUID (or something), seems to be a good idea which identify every CKO_* object uniquely. 

This is for PKCS #11 v3.00

-Oscar




On 07/14/14 08:45 AM, Tim Hudson wrote:

On 15/07/2014 1:09 AM, Oscar So wrote:

Perhaps, we can also set the CKA_ID during key generation where:

C_GenerateKey
CKA_ID = SHA1(symmetric key CKA_VALUE)

C_GenerateKeyPair
CKA_ID = SHA1(modulus) //this is how Mozilla set CKA_ID in
Firefox/Thunderbird

Hopefully, all CKA_ID(s) generated from the above method are unique.
We can then compare all CKA_ID(s) value to determine when to return:
CKR_OBJECT_EXISTS or CKR_KEY_EXISTS


You can do this - but the CKA_ID itself is also not guaranteed to be
present or unique and there are devices which happily report multiple
objects with the same CKA_ID value.

We had quite a few discussions on this topic - the choices we faced are
to either add in a new attribute or change the explicitly documented
behaviour in the specification for one or more of the existing
attributes. Many vendors do this as one of their vendor-specific
extensions - but there is no currently defined requirement for this.

I for one would like to see a simple mandatory attribute added which was
the unique identifier (and not tied to anything other than the object
itself so any changes to attributes etc do not effect its value) - but
that wasn't something which made it into v2.40 ...

Tim.


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]