SV: SV: [Opendnssec-develop] SoftHSM

Roland van Rijswijk roland.vanrijswijk at
Tue Dec 2 13:49:43 UTC 2008

Hi Rickard,

Rickard Bondesson wrote:

> "Strictly speaking, the call to C_SignInit should return
> True, but as I mentioned earlier:
> PKCS-11v2-20 page 196 specifies that you (SoftHSM) can assign default
> values to attributes not specified. - "or else are assigned default
> initial values"

The reason they put this in the standard is that many vendors chose to
do this while implementing modules compliant with v2.11 of the spec.
Personally, I think one shouldn't provide default values as applications
that use PKCS #11 will come to rely on this thus making them
incompatible with more strict implementations of PKCS #11... But this is
not a discussion to have on the OpenDNSSEC list, this is a more general
annoyance I have with some PKCS #11 module vendors ;-)




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at

More information about the Opendnssec-develop mailing list