Re: kdesupport/qca/plugins/qca-pkcs11

Bringing to list.

> On 4/7/07, Alon Bar-Lev <alon.barlevgmail.com> wrote:
> > A few thoughts...
> > 1. I would like the PIN prompt to prompt the token
name as the token
> > prompt does. The PIN is actually requested for the
token and not for
> > the key, the key should be a comment like
information.

Hmm, maybe in this case, don't pass an entry?  Then the
token will be prompted 
for instead.

> > 2. I think the word "token" should be
added after the token name...

Okay.

> > 3. I still construct my own DN out of
cert.subjectInfoOrdered()..
> > Since certificate has no method for this. Notice
that the order is
> > modified, should be (CN,OU,O,C,E), and there are
two E... And I don't
> > wish to return to OpenSSL to format DN, since once
PKCS#1 is available
> > in QCA, I can drop OpenSSL.

I noticed you used this kind of string for the entry name,
but it seems too 
long to me.  How about using the PKCS#11 object label?  Or,
if that's not a 
good source, we could come up with a simple scheme (e.g.
"$CN from $O").  I 
just think that those OpenSSL-ish strings are very long and
not intuitive 
(only people like us will understand them).

If you still want to be able to construct those strings,
maybe we could make a 
public function to calculate them.  Is there a specification
somewhere?  Or 
can you describe the process?

There are two E values because of the Email DN and the Email
subjectAltName.  
Any suggestion?

-Justin
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com

On 4/7/07, Justin Karneges <justin-psi2affinix.com> wrote:
> > On 4/7/07, Alon Bar-Lev <alon.barlevgmail.com> wrote:
> > > A few thoughts...
> > > 1. I would like the PIN prompt to prompt the
token name as the token
> > > prompt does. The PIN is actually requested
for the token and not for
> > > the key, the key should be a comment like
information.
>
> Hmm, maybe in this case, don't pass an entry?  Then the
token will be prompted
> for instead.

Hmmm... This is what I requested initially...

> > > 3. I still construct my own DN out of
cert.subjectInfoOrdered()..
> > > Since certificate has no method for this.
Notice that the order is
> > > modified, should be (CN,OU,O,C,E), and there
are two E... And I don't
> > > wish to return to OpenSSL to format DN, since
once PKCS#1 is available
> > > in QCA, I can drop OpenSSL.
>
> I noticed you used this kind of string for the entry
name, but it seems too
> long to me.

I am opened to suggestion... I could not find a good one
yet.

> How about using the PKCS#11 object label?

PKCS#11 label or id will likeley be GUID or just a numerical
sequence.

> good source, we could come up with a simple scheme
(e.g. "$CN from $O").

Well... this is for high-level API to decide...
Again... I think I should only provide my objects... Higher
API should
decide how to display them... As always... I wish to reduce
functionality  of the provider... 

> I just think that those OpenSSL-ish strings are very
long and not intuitive
> (only people like us will understand them).

I don't think so... People are aware of them... Most people
will have
several certificates with the same CN, one for
authentication, one for
signature and one for decryption.
And they can have multiple of these issued by different
CAs.

So how do they know which one is requested?

The best approach is full DN + enhanced key usage...
But the enhanced key usage turns up to be quite long...
So I print only the DN.

> If you still want to be able to construct those
strings, maybe we could make a
> public function to calculate them.  Is there a
specification somewhere?  Or
> can you describe the process?

I don't understand.

> There are two E values because of the Email DN and the
Email subjectAltName.
> Any suggestion?

Oh!!!!
I did not expect subjectInfoOrdered  to scan the name and
altname...
Please provide two methods.

Thanks!
Alon Bar-Lev.
_______________________________________________
delta mailing list
deltalists.affinix.com
http://lists.affinix.com/listinfo.cgi/delta-affinix.com