Cryptographic Token Interface Standard

PKCS#11


Object Visibility

Objects such as certificates, public keys, and private keys must only be visible in the virtual slot representing the PIN that protects use of the private key. This allows applications to continue assuming that the private key is in the same slot as the corresponding certificate and/or public key (private objects are not visible until logged in).

This approach has advantages and disadvantages. Since the library separates the view of the objects based on the PIN that protects them, applications that only use the objects on the virtual cards will function correctly. The problem appears when an application attempts to update the objects. The library must insure that the certificate, public key, and private keys are all updated in the same virtual card. The application should not be required to use the virtual card for PIN2 to execute the private key, and update the corresponding certificate in the virtual card for PIN1. This will not be a problem if the application knows about this access behavior, but it will not be a generic PKCS #11 application. The disadvantage is not a problem when the cards are issued and updated by the same company (which is true in most cases).


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v211