[Opendnssec-develop] *blush* The experts agree. CKA_ID it is.

Rick van Rein rick at openfortress.nl
Fri Mar 20 07:01:17 UTC 2009

Hi all,

To be honest, I'm not keen on following OpenSC as the definition of what
our PKCS #11 implementation should look like.  I'd rather improve on
the code of that library if it fails to meet the standard.  I don't
hold the quality of OpenSC very highly and it could drag us down.

Having said that, I don't mind storing identifiers textually, as long
as we remember to handle upper/lowercase problems.

Perhaps it is better to store CKA_ID in its canonical, binary form,
to avoid any such problems.  It is great that tools like OpenSC
solve the problem of how to print binary content by showing it as
hex dumps.  This is probably the most sensible one can do, given
that CKA_ID is just a binary byte array.

If our UUID is spelled out in hexadecimal and then stored, each
hex digit would be printed as a byte code, which is not the
intuitive readout that we were hoping for by storing the UUID
as a text string.

Had we stored the UUID in CKA_LABEL, a textual representation would
have been ideal; but since we are going for CKA_ID, I think it is
best to stick to the binary representation.

> so, 2EFAD382-4F44-475E-97CE-1CE3EB9283FE would be stored as a 16-byte  
> array:
> { 2E FA D3 82 4F 44 47 5E 97 CE 1C E3 EB 92 83 FE }
> Roland? Rick? does this make sense?

Yes, even if it seems to conflict earlier messages.  This is what
I am in favour of.  But not just because OpenSC told us so!


More information about the Opendnssec-develop mailing list