PKCS11: selecting which key to use
NdK
ndk.clanbo at gmail.com
Fri Feb 18 16:40:43 EST 2011
On 18/02/2011 03:52, Peter Stuge wrote:
>> Just popping in (not subscribed, please CC) to ask if it's planned to
>> add "identity selection" when using a PKCS#11 provider.
> For lack of better alternatives I guess PKCS#11 URI may be the way to go.
Uhm... remember that there already are at least four ways to identify a
specific key on a card:
- by key ID (combined w/ "slot" or not, whatever is your idea of what a
"slot" is)
- by label
- by matching part of certificate CN
- by file path
I don't like the first if it's used as slot:id 'cause "slot" is not well
defined (is it a key or a PIN? I could find both interpretations). If
w/o slot it could be ambiguous if the same key ID is on more than one
card (quite a rare case: needs multiple readers connected).
The second is IMVHO the most versatile, just a mnemonic ID... same cons
of using ID.
The third is like the second, but even less probable to have the same
cert on multiple cards. But it requires to setup a CA to issue certs, or
have certs issued by an external CA.
The fourth is IMHO too "low level" to be actually useful, but could be
used to say "always use the first key on card"...
What could a pkcs11 URI look like?
BYtE!
More information about the openssh-unix-dev
mailing list