Subject: Draft proposal for serialising templates
A long long time ago (last F2F) I proposed to add to P11 the capability to serialise a template when calling C_Wrap and add it to the cipher text so that it can be unwrapped with the same template it used to have. This together with the new authenticated encryption modes in v2.40 (GCM, CCM) allows a lot of new key-management operations to be carried our securely, notably making back-ups of long-term keys in several HSMs or duplicating private keys across sites in a secure and standards-compliant way.
Finally we found time to draft a document about this. We deliberately mimic KMIP as much as possible. I attached the draft to this mail, I’ll also upload it to the docs page of the Oasis TC pages. If there is time for anyone to look at it and give preliminary comments on the call tonight, that would be great, otherwise comments on the list would be very welcome.
PKCS11 wrapping with templates - draft.odt
Description: Message signed with OpenPGP using GPGMail