<div dir="ltr">There is not much you can do with the existing keys but still, KMIP is something to consider going forward if one is concerned about vendor lock-ins.<div>Needless to say, like anything else, there is a tradeoff.</div><div><br></div><div>Cheers!</div><div>T.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jul 31, 2023 at 11:23 PM Jakob Schlyter via ksk-rollover <<a href="mailto: ksk-rollover@icann.org">ksk-rollover@icann.org </a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2023-07-31 at 14:53, Frederico A C Neves via ksk-rollover wrote:<br> <br>
From our experience besides admin interfaces, standard APIs for<br> regular operations, generating keys, sign, verify etc... are available<br> (PKCS#11/KMIP) from multiple vendors. But exporting/importing a key,<br> specially with the no-export attribute set, among vendors is not<br> available.<br> <br> I concur; moving keys not marked as CKA_EXTRACTABLE (at time of generation) is generally not supported (due to FIPS requirements).<br> <br> Â Â Â Â jakob<br> <br> -- <br> Jakob Schlyter<br> Kirei AB - <a href="http://www.kirei.se" rel="noreferrer" target="_blank"> www.kirei.se</a><br> _______________________________________________<br> ksk-rollover mailing list<br> <a href="mailto:ksk-rollover@icann.org" target="_blank"> ksk-rollover@icann.org</a><br> <a href="https://mm.icann.org/mailman/listinfo/ksk-rollover " rel="noreferrer" target="_blank"> https://mm.icann.org/mailman/listinfo/ksk-rollover</a><br> <br> _______________________________________________<br> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href=" https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank"> https://www.icann.org/privacy/policy </a>) and the website Terms of Service (<a href=" https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank"> https://www.icann.org/privacy/tos </a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<br> </blockquote></div>