On Mon, Jun 24, 2013 at 2:48 PM, Rick van Rein <r...@openfortress.nl> wrote:
> Hi, > > > Nit: PKCS #11 is not a networked API, but implementations can access > remote devices. > > > > That how usually remotoe HSM are used, right? > > Some HSMs are network connected, in which case the PKCS #11 API will > conceal a remote conncetion. > Other HSMs are plug-in cards for a system bus like PCI or USB. > I'm concerned about network ones. > > how the user "select the key container". In other words: how i select > my certificate and not the one from my neighbourgs ? > > > > * CKA_ID and/or CKA_LABEL attributes > > * multiple slots / tokens, sometimes called "partitions" of your HSM > > > > I know PKCS#11 internals, and i know how i can (as developer) select a > cert, but still cant see how this is done in a "transparent" browser. > > The browser request GetSlotList (so every slot should be returned) and > all certificates are shown? > > All those that are visible to the authenticating user and in the > slot/token that you setup. > > > I dont know if you see my point: how to link "account" with partition? > > By configuring its token name in the browser, and/or by access control. I > am not sure if / how browsers will let you specify the token though. > I still dont get it. I could register a PKCS#11 module on my firefox to communicate with an HSM. But that doesnt involve, in any way, linking "john....@example.com" authenticated user with a certificate stored on HSM. I must be missing something, like a browser addon, special library initialization (not covered by pkcs#11 standard) or something-else, that will tell HSM to get the correct certificate/partition. > > -Rick
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
