OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pkcs11] Register vendor defined attribute types?

HI Mark,

 

I don’t know the answer to where you should define your attribute. Seems something that we should be doing in the TC perhaps.

 

With respect to your need of an attribute, we took a different approach at QuintessenceLabs in the implementation of our KMIP PKCS#11 token. All vendor specific stuff is specified in a token configuration file. One of our design goals was to support existing applications without requiring source code, or binary changes.

 

Regards,

John

 

From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org] On Behalf Of Mark Joseph
Sent: Sunday, 30 November 2014 6:57 AM
To: OASIS PKCS #11 TC
Subject: [pkcs11] Register vendor defined attribute types?

 

Hi,

 

  Taken from the 2.40 base PKCS 11 specification:

 

"Attribute types CKA_VENDOR_DEFINED and above are permanently reserved for token vendors. For

interoperability, vendors should register their attribute types through the PKCS process."

 

How do we do this?   We have the following attribute to define:

 

 

P6R defines the following vendor defined attribute:

CKA_P6R_GROUP   0x80001000UL
Data Type: RFC 2279 string                                       
MUST be specified when object is created with C_CreateObject.
MUST be specified when object is created with C_GenerateKey or C_GenerateKeyPair.
 

The purpose of this extension is to provide basic support for KMIP groups. CKA_P6R_GROUP maps into the KMIP “Object Group” attribute. Without the CKA_P6R_GROUP attribute defined the “default” KMIP group is used. P6R’s Keystore has the concept of namespaces. These are similar to groups in that they provide collections of objects. When CKA_P6R_GROUP is used for the Software Token its value is mapped into the Keystore’s namespace parameter. Without the CKA_P6R_GROUP attribute defined the Software Token uses “PKCS11″ namespace by default.

(Taken from https://www.p6r.com/articles/2014/11/22/p6rs-pkcs-11-provider/).

 

We did not see anyway to implement groups other than a new attribute.   Has anyone else done the same sort of thing?

 


Best,


Mark Joseph, Ph.D. 

President P6R, Inc 

408-205-0361 

Skype: markjoseph_sc 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]