Darren J Moffat wrote: > I'd like to establish a standard URI based naming scheme that allows > fully referencing any object stored in a PKCS#11 token by name. > > There are multiple possible URI scheme's that could do this with the > simplest being the following: > > Proposal 1: Simple Positioning > ------------------------------ > pkcs11:[<token label>]:[<manuf>]:[<model>][<serial>]:<object label> > > eg: > pkcs11::::MyFooKey > pkcs11:Sun Softtoken::::SignKey > pkcs11:Exam 456:Example Co Inc:Super2000:A435F32:HostFooSSLKey > > > The downside to that simple scheme is the multiple colons make it too > easy to make a mistake. > > Proposal 2: Named valued > ------------------------ > > pkcs11:[;token=<label>][;manuf=<label>][;serial=<label>][;model=<label>][;object=<label>] > > eg: > > pkcs11:object=MyFooKey > pkcs11:token=Sun Softtoken;object=SignKey > pkcs11:token=Exam 456;manuf=Example Co > Inc;model=Super2000;serial=A435F32;object=HostFooSSLKey > > > I'd like some discussion on this. I don't personally see a need for the > slot name to be specified here but I wouldn't object to it being added > in. I also haven't purposely added any ability to specify the PIN, > however specifying wither a login is expected or not might be useful. > >
I prefer name/value attribute pairs. This could also be expressed in XML or other formats that maintain name/value relationships. How does the "slot name" differ from "token label"? I think token label is important. Also, serial numbers are associated with certificates but not necessarily with keys. Are you referring to the key's CKA_ID value or CKA_SERIAL ? -Wyllys
