PKCS11: selecting which key to use

[NdK]

On 18/02/2011 03:52, Peter Stuge wrote:

>> Just popping in (not subscribed, please CC) to ask if it's planned to
>> add "identity selection" when using a PKCS#11 provider.
> For lack of better alternatives I guess PKCS#11 URI may be the way to go.
Uhm... remember that there already are at least four ways to identify a 
specific key on a card:
- by key ID (combined w/ "slot" or not, whatever is your idea of what a 
"slot" is)
- by label
- by matching part of certificate CN
- by file path

I don't like the first if it's used as slot:id 'cause "slot" is not well 
defined (is it a key or a PIN? I could find both interpretations). If 
w/o slot it could be ambiguous if the same key ID is on more than one 
card (quite a rare case: needs multiple readers connected).
The second is IMVHO the most versatile, just a mnemonic ID... same cons 
of using ID.
The third is like the second, but even less probable to have the same 
cert on multiple cards. But it requires to setup a CA to issue certs, or 
have certs issued by an external CA.
The fourth is IMHO too "low level" to be actually useful, but could be 
used to say "always use the first key on card"...

What could a pkcs11 URI look like?

BYtE!