On Wed, 2006-02-08 at 15:04 +0100, Peter Koch wrote:
[...]
> I would recommend to select the certificate by CKA_VALUE. Its the
> only mandatory PKCS#11-attribute that uniquely identifies a
> certificate :-)
Excellent :-D like there is a need to retrieve anything once you have
the CKA_VALUE :-))))
I very much liked this discussion. :-)
I think that the cert selection method really depends on the context:
- Sometimes, you want a specific certificate and the best way to point
to it is probably via its path (doh!). This is the _only_ way to be 100%
sure about what you are retrieving without having to type in 2kb of
identifier in your config files (or looking stupid) :)
- Sometimes you want a certificate (no matter precisely which) as long a
it has a set of features... In this case, browsing through the certs and
matching on features is the only way. Remember that C_FindObjects() will
only do a byte by byte comparison and that is not a good way to identify
subject names or anything else (e.g. because 'OU=X, O= Y' == 'O=Y, OU=X'
for ITU-t but it does not survive a binary comparison).
A good (practical) way to identify a certificate is to use the 4-tuple
[Issuer Name, Issuer Unique ID, Subject Name, Subject Unique ID] (the
pair of unique identifiers shall be enough) but this can not be
performed by C_FindObjects(). Again, there's plenty of ways to match...
and if you know _exactly_ what you want, use the path or just cache the
info (previous point) :)
- Sometimes you want just _any_ certificate because there is no public
key and the pub keys are (correctly) assumed to be in the certs => you
do not really care which cert you get since you only look for the
pubkey.
But I am very glad we sorted this out because I could not figure out how
the object ID could be used to univoquely identify something... of
course, it can't so that's already a good point sorted out.
fred
> Peter
>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
