[Opendnssec-develop] *blush* The experts agree. CKA_ID it is.

Jakob Schlyter jakob at kirei.se
Thu Mar 12 21:07:31 UTC 2009

I recommend that we use the ASCII representation of the UUID to ease  
access with 3rd party tools for debugging and monitoring.

Sent from my iPhone, hence this mail might be briefer than normal.

On 12 mar 2009, at 18.45, "Roy Arends" <roy at nominet.org.uk> wrote:

> I've discussed the issue with David Miller and Dr Stephen N Henson.
> It seems that there is indeed much confusion in the field about  
> CKA_ID's and CKA_LABELs. As an example, there exist pkcs11 libraries  
> that will promiscuously match CKA_ID's while the search template  
> specifies CKA_LABEL and vice versa. On the uniqueness of identifiers  
> they advised that we can't uniquely assign identifiers per object,  
> since some objects need to match other objects. In our case, we need  
> to match CKO_PRIVATE_KEY with CKO_PUBLIC_KEY. Two different,  
> independent objects from a PKCS11 perspective, though they need to  
> be matched. For that purpose, we need to have CKA_ID to match the  
> two, hence they need to be equal. So the uniquely identifiable  
> pragma holds only for CKO_PRIVATE_KEY and CKO_PUBLIC_KEY Pairs.  
> There are some implementations that ignore CKA_ID, and some that  
> ignore CKA_LABEL. Even to the point that the attribute is present,  
> but can't be used for C_FindObjects.
> Another issue is that often CKA_LABEL needs to be non-empty, as  
> there are some applications that use the empty CKA_LABEL to match  
> all objects for a certain purpose. Their conclusion is to be  
> pragmatic. Though the theory is that CKA_LABEL can well be used for  
> searching, CKA_ID needs to be present anyway to match the private  
> object with the public object. Hence forcing the use of CKA_LABEL is  
> overkill.
> So it seems that the experts (rick, roland, david and steve) agree.  
> I'll step off my high-horse and conform. CKA_ID it is. Next time we  
> meet (RIPE?) , beer is on me, to compensate for the wasted time.  
> (Rick, lets do that soon).
> That leaves us with the encoding. do we put a string like  
> "254F9220-7B9C-4386-ABC2-F8230E3843B3" in the CKA_ID or do we put  
> the 128 bit value in the CKA_ID. There is no restriction here, other  
> than the requirement of the signer for translating the 128 bit value  
> to UUID when we decide to store the 128-bit value. (the translation  
> does not need to be done in the signer when we use the UUID overall).
> We still need the CKA_LABEL to be non-empty. I'll just put  
> "OpenDNSSEC DNSKEY" in there, unless told otherwise.
> Thanks,
> Regards,
> Roy Arends
> Sr. Researcher
> Nominet UK
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090312/3cfbb2f3/attachment.htm>

More information about the Opendnssec-develop mailing list