"Steven Bade" <[EMAIL PROTECTED]> wrote
> We generate all keys within our "tokens".... Some tokens such as the > 4758 keep all the token objects within the secure boundary, and rely on > the proper PKCS#11 attributes to control selection, keys generated stay > within the FIPS4 boundary. Others which are accelerators, still use the > PKCS#11 key generation calls (or object creation functions which could > be done with the 4758 as well, but then these objects really can't be > marked as NEVER_EXTRACTABLE because their origin is not really known or > can be trusted). > > > I don;t remember exactly what the Trustway patch added, but it would be > nice to allow for engine specific key generation to be used through the > normal key generation paths, as well as allow for normal calls to be > used to instantiate the CERT within the PKCS#11 token.... > The trustway patch added is for openssl-engine, so when you're using openssl with -engine trustway argument key generation is done through our PKCS#11 engine, otherwise the "normal key generation path" is always available and can be used without problem. ______________________________________ [EMAIL PROTECTED] Bull Technologies - Trustway R&D - Networking & Security http://www.servers.bull.com/trustway ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]