SV: SV: [Opendnssec-develop] SoftHSM

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Dec 2 14:49:43 CET 2008


Hi Rickard,

Rickard Bondesson wrote:

> "Strictly speaking, the call to C_SignInit should return
> CKR_KEY_FUNCTION_NOT_PERMITTED in this case."
> 
> True, but as I mentioned earlier:
> 
> PKCS-11v2-20 page 196 specifies that you (SoftHSM) can assign default
> values to attributes not specified. - "or else are assigned default
> initial values"

The reason they put this in the standard is that many vendors chose to
do this while implementing modules compliant with v2.11 of the spec.
Personally, I think one shouldn't provide default values as applications
that use PKCS #11 will come to rely on this thus making them
incompatible with more strict implementations of PKCS #11... But this is
not a discussion to have on the OpenDNSSEC list, this is a more general
annoyance I have with some PKCS #11 module vendors ;-)

Cheers,

Roland.

-- 

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl



More information about the Opendnssec-develop mailing list