Alon Bar-Lev wrote: > In more detail, instead of using a static, local token, I would like to > interface the pkcs#11 to a dynamic certificate: the middleware first > creates a keypair, sends it off to a CA that issues a certificate on > the fly, and then presents that through the pkcs#11 interface. > > Will this kind of thing be possible? I don't think so. There is no valid common sequence that will allow you to do this. I also don't see the use case, can you please explain?
We do something like this to translate kerberos tickets into cert/key usable from pkcs11. But it only makes sense if you have some way to convince the CA that it should sign the keypair and issue a cert. In our case that's kerberos. Otherwise, how can anyone trust the cert? _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
