> > I just learned that PKCS#15 IDs are non-unique and MUST be choosen > > it is not a must, just a recommendation to simplify the search for > the corresponding private key (btw: afaik pkcs11 recommends to use > subject key identifier (normally a digest of the key) as id)
If this is a recommendataion only then OpenSwan should not rely on it. On the other hand OpenSwan seems to select certificates by ID, so it seems ta assume that an ID (uniquely) identifies a certificate. If PKCS#11 recommends to user subject identifiers as IDs then this is a recommendation to use unique IDs as different certificates will most likely have different subject identifiers. If one follows this recommendation, what ID should be choosen for a private key that is shared by two different certificates? The following two assumptions (or recommendation): 1) certificates can be uniquely identified by ID 2) for each certificate there exists a private key with the same ID cannot be fulfilled at the same time if a token has more than one certificate per key. I therefore guess that the PKCS#11-recommendations were meant for tokens with a on-to-one mapping between certificates and keys only. So I cannot change my NetKey-emulation such that OpenSwan can use both certificates and Christian must hardcode in pkcs15-tcos.c which certificate he wants to use with OpenSwan - very unsatisfying !! Peter -- Telefonieren Sie schon oder sparen Sie noch? NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
