[Opendnssec-develop] *blush* The experts agree. CKA_ID it is.
Jakob Schlyter
jakob at kirei.se
Thu Mar 12 21:07:31 UTC 2009
I recommend that we use the ASCII representation of the UUID to ease
access with 3rd party tools for debugging and monitoring.
--
Sent from my iPhone, hence this mail might be briefer than normal.
On 12 mar 2009, at 18.45, "Roy Arends" <roy at nominet.org.uk> wrote:
> I've discussed the issue with David Miller and Dr Stephen N Henson.
>
> It seems that there is indeed much confusion in the field about
> CKA_ID's and CKA_LABELs. As an example, there exist pkcs11 libraries
> that will promiscuously match CKA_ID's while the search template
> specifies CKA_LABEL and vice versa. On the uniqueness of identifiers
> they advised that we can't uniquely assign identifiers per object,
> since some objects need to match other objects. In our case, we need
> to match CKO_PRIVATE_KEY with CKO_PUBLIC_KEY. Two different,
> independent objects from a PKCS11 perspective, though they need to
> be matched. For that purpose, we need to have CKA_ID to match the
> two, hence they need to be equal. So the uniquely identifiable
> pragma holds only for CKO_PRIVATE_KEY and CKO_PUBLIC_KEY Pairs.
> There are some implementations that ignore CKA_ID, and some that
> ignore CKA_LABEL. Even to the point that the attribute is present,
> but can't be used for C_FindObjects.
>
> Another issue is that often CKA_LABEL needs to be non-empty, as
> there are some applications that use the empty CKA_LABEL to match
> all objects for a certain purpose. Their conclusion is to be
> pragmatic. Though the theory is that CKA_LABEL can well be used for
> searching, CKA_ID needs to be present anyway to match the private
> object with the public object. Hence forcing the use of CKA_LABEL is
> overkill.
>
> So it seems that the experts (rick, roland, david and steve) agree.
> I'll step off my high-horse and conform. CKA_ID it is. Next time we
> meet (RIPE?) , beer is on me, to compensate for the wasted time.
> (Rick, lets do that soon).
>
> That leaves us with the encoding. do we put a string like
> "254F9220-7B9C-4386-ABC2-F8230E3843B3" in the CKA_ID or do we put
> the 128 bit value in the CKA_ID. There is no restriction here, other
> than the requirement of the signer for translating the 128 bit value
> to UUID when we decide to store the 128-bit value. (the translation
> does not need to be done in the signer when we use the UUID overall).
>
> We still need the CKA_LABEL to be non-empty. I'll just put
> "OpenDNSSEC DNSKEY" in there, unless told otherwise.
>
> Thanks,
>
> Regards,
>
> Roy Arends
> Sr. Researcher
> Nominet UK
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090312/3cfbb2f3/attachment.htm>
More information about the Opendnssec-develop
mailing list