On Mar 16, 2010, at 09:09 , Andreas Jellinghaus wrote: > Am Dienstag 16 März 2010 07:20:31 schrieb Rickard Bellgrim: >> Hi >> >> A quick comment is that OpenDNSSEC will, probably in May, only need the >> private part of the key. Since you can derive the public part from the >> private object. This will save space in the HSM and make our code faster. > > hu? a smart card will never give you its private key. you can use it for > signing or decryption, but you can't download the private key. that > is the whole point of the card/HSM. so not sure what opendnssec will need > in detail. A smart card usually never gives out the key *generated* in the card. If supported by the card it sometimes makes sense to extract the key, but not in clear. And vice versa (keys generated somewhere else are unwrapped inside the card).
>From PKCS#15: The semantics of the accessFlags field’s sensitive, extractable, alwaysSensitive, neverExtractable and local identifiers is the same as in PKCS #11. This field is not required to be present in cases where its value can be deduced by other means. And from PKCS#11: Additional protection can be given to private keys and secret keys by marking them as “sensitive” or “unextractable”. Sensitive keys cannot be revealed in plaintext off the token, and unextractable keys cannot be revealed off the token even when encrypted (though they can still be used as keys). So the whole wraping/extractable/sensitive flagging is currently arbitrary and does not follow neither standard. See http://www.opensc-project.org/opensc/ticket/198 for some extra information and a patch that fixes at least one issue with the topic. The unwrapping that *is* supported happens in software and could be done elsewhere (PKCS#11 module for smart cards should only operate with hardware based objects, if possible) -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
