Hi Tomofumi - KMIP is probably not relevant to this problem. The problem I think you're trying to solve here is not one of interface (how to talk to the keys), but of key protection. Mike On 8/2/2023 2:35 AM, Tomofumi Okubo via ksk-rollover wrote:
There is not much you can do with the existing keys but still, KMIP is something to consider going forward if one is concerned about vendor lock-ins. Needless to say, like anything else, there is a tradeoff.
Cheers! T.
On Mon, Jul 31, 2023 at 11:23 PM Jakob Schlyter via ksk-rollover <ksk-rollover@icann.org> wrote:
On 2023-07-31 at 14:53, Frederico A C Neves via ksk-rollover wrote:
> From our experience besides admin interfaces, standard APIs for > regular operations, generating keys, sign, verify etc... are available > (PKCS#11/KMIP) from multiple vendors. But exporting/importing a key, > specially with the no-export attribute set, among vendors is not > available.
I concur; moving keys not marked as CKA_EXTRACTABLE (at time of generation) is generally not supported (due to FIPS requirements).
jakob
-- Jakob Schlyter Kirei AB - www.kirei.se <http://www.kirei.se> _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.