SV: SV: [Opendnssec-develop] SoftHSM

Rickard Bondesson Rickard.Bondesson at iis.se
Tue Dec 2 13:44:11 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

"Point taken. If you want the soft token module to be as small in footprint as possible and as simple as possible, you could chose to do it that way. But you should at least try to make the design generic enough that it allows for changing this to a better PKCS #11 implementation in the future, and most of all: document the choices you make so others don't make wrong assumptions about the functionality in the module and so they don't assume that this is normal behaviour for a PKCS #11 module."

I agree

"Strictly speaking, the call to C_SignInit should return CKR_KEY_FUNCTION_NOT_PERMITTED in this case."

True, but as I mentioned earlier:

PKCS-11v2-20 page 196 specifies that you (SoftHSM) can assign default values to attributes not specified.
- - "or else are assigned default initial values"
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSTU7q+CjgaNTdVjaAQiUCwf+Il9Fix8ja0CgZQuVoaMcpJUSp/ZUO/9e
W064UIlFwrKyuVFeT4Ns/uaDS+Ytaf4rvcreNz3GUJaS5aGkgD9cZqYFz+D0Ea06
ktuWqmPlk+jhLhX2bT0mEvT3NZjPwKuhOjwhP6Ut9Abu3o96/Oq2wKbqsyX55Db+
UwGMYyZedmWrxTRuxtsWv2b7c8zVK5xH4uBYYjkgrNE0CPXPDjFJbr6+FE+si40o
S9ltFMbbOyG7a416++iEN2I9w1s4uV0clKNl0S8lt+oEczGO9HOd4Z4SNhsBk2QY
N4XvJ6lGVx7eNN7Fpdg9MOZ2kvAD0nYrFn57uWS7YASsWdDgFS6h4Q==
=zB1s
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list