SV: SV: [Opendnssec-develop] SoftHSM
Roland van Rijswijk
roland.vanrijswijk at surfnet.nl
Tue Dec 2 13:49:43 UTC 2008
Hi Rickard,
Rickard Bondesson wrote:
> "Strictly speaking, the call to C_SignInit should return
> CKR_KEY_FUNCTION_NOT_PERMITTED in this case."
>
> True, but as I mentioned earlier:
>
> PKCS-11v2-20 page 196 specifies that you (SoftHSM) can assign default
> values to attributes not specified. - "or else are assigned default
> initial values"
The reason they put this in the standard is that many vendors chose to
do this while implementing modules compliant with v2.11 of the spec.
Personally, I think one shouldn't provide default values as applications
that use PKCS #11 will come to rely on this thus making them
incompatible with more strict implementations of PKCS #11... But this is
not a discussion to have on the OpenDNSSEC list, this is a more general
annoyance I have with some PKCS #11 module vendors ;-)
Cheers,
Roland.
--
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-develop
mailing list