OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Proposed Response for CKA_Trusted query

Hi Folks,

Here is my proposed response to the query received on the comment list (https://lists.oasis-open.org/archives/pkcs11-comment/201709/msg00000.html) for discussion on this week's call.

"I am looking to seek clarifications for the CKA_TRUSTED attributes for the keys. As per the specification, I understood that the CKA_TRUSTED can be set only by the SO user.
Does this means, CKA_TRUSTED can not be set to TRUE when generating the key and can be set explicitly by SO only using C_SetAttributeValue.
Or does this mean the value of CKA_TRUSTED can be changed from FALSE to TRUE by SO only and can be set to any value during key generation."


"I am looking to seek clarifications for the CKA_TRUSTED attributes for the keys. As per the specification, I understood that the CKA_TRUSTED can be set only by the SO user."
This is correct

"Does this means, CKA_TRUSTED can not be set to TRUE when generating the key......"
This is correct if the user performing the key generation is not the SO

"....and can be set explicitly by SO only using C_SetAttributeValue."
Typically YES - although objects may be created via other (non-PKCS#11) means during token initialization

"Or does this mean the value of CKA_TRUSTED can be changed from FALSE to TRUE by SO only...."
This is correct

"....and can be set to any value during key generation."
This is NOT correct

Thanks,

--

Tony Cox

VP Partners, Alliances & Standards

Cryptsoft

P:  +61 7 3103 0321, US:  +1 (650) 918 4307

tony.cox@cryptsoft.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]