[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] PKCS#11 Object Uniqueness error codes
On 07/14/2014 10:22 AM, Oscar So wrote:
Oh, I meant CKO_DATA (not CKO_PASSWORD - never defined) which represents an authentication object, the PIN as described in Page 8 of PKCS #15 spec:ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-15/pkcs-15v1_1.pdfAnd, for CKO_SECRET_KEY, that should be another CKA_ID that represents CKO_SECRET_KEY. But, I don't see application using CKA_ID to represents CKO_SECRET_KEY. Application mostly uses CKA_LABEL to represents CKO_SECRET_KEY, and try to make CKA_LABEL unique within its domain.
NSS uses CKA_ID on CKO_SECRET_KEY's to manage things the the firefox password ring. From an API layer we call it SDR (secret decoder ring:). Data encrypted with this toolkit includes the CKA_ID of the key that encrypted the data, so you can have more than one active. Unfortunately that data is only unique to a token. Multiple firefox databases all have the same CKA_ID for different keys.:(.
bob
Anyway... -Oscar On 07/14/14 10:05 AM, Tim Hudson wrote:On 15/07/2014 2:54 AM, Oscar So wrote:The uniqueness can only be applied to a set of defined domains or a centralized server that generates CKA_ID and all application must go through this server. For example, the CKA_ID can only be guaranteed to be unique within these 3 servers. Currently, one CKA_ID is tied to all of the below objects: CKO_PUBLIC_KEY CKO_PRIVATE_KEY CKO_CERTIFICATE CKO_PASSWORD So, a new attribute, CKA_UUID (or something), seems to be a good idea which identify every CKO_* object uniquely. This is for PKCS #11 v3.00Actually that sort of change could be added into a v2.41 if we wanted to do so. There is nothing as yet which commits to moving straight to a v3.0 - and the list of items for v3.0 are somewhat broad so the time frame is unclear (to me at least). BTW I assume CKO_PASSWORD is a vendor specific extension of yours or a typo or did you mean CKO_SECRET_KEY? Tim. --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php---------------------------------------------------------------------To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]