<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <div class="moz-cite-prefix">Hi Tomofumi - <br>

    </div>

    <div class="moz-cite-prefix"><br>

    </div>

    <div class="moz-cite-prefix">KMIP is probably not relevant to this

      problem.  The problem I think you're trying to solve here is not

      one of interface (how to talk to the keys), but of key

      protection.  <br>

    </div>

    <div class="moz-cite-prefix"><br>

    </div>

    <div class="moz-cite-prefix">Mike<br>

    </div>

    <div class="moz-cite-prefix"><br>

    </div>

    <div class="moz-cite-prefix">On 8/2/2023 2:35 AM, Tomofumi Okubo via

      ksk-rollover wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAJwNE+8-rf2-aMpMZHA-D7+mpFw_7jLLHBim+BccTvNjpp4Vsw@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">There is not much you can do with the existing keys

        but still, KMIP is something to consider going forward if one is

        concerned about vendor lock-ins.

        <div>Needless to say, like anything else, there is a tradeoff.</div>

        <div><br>

        </div>

        <div>Cheers!</div>

        <div>T.</div>

      </div>

      <br>

      <div class="gmail_quote">

        <div dir="ltr" class="gmail_attr">On Mon, Jul 31, 2023 at

          11:23 PM Jakob Schlyter via ksk-rollover <<a

            href="mailto:ksk-rollover@icann.org" moz-do-not-send="true"

            class="moz-txt-link-freetext">ksk-rollover@icann.org</a>>

          wrote:<br>

        </div>

        <blockquote class="gmail_quote" style="margin:0px 0px 0px

          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On

          2023-07-31 at 14:53, Frederico A C Neves via ksk-rollover

          wrote:<br>

          <br>

          > From our experience besides admin interfaces, standard

          APIs for<br>

          > regular operations, generating keys, sign, verify etc...

          are available<br>

          > (PKCS#11/KMIP) from multiple vendors. But

          exporting/importing a key,<br>

          > specially with the no-export attribute set, among vendors

          is not<br>

          > available.<br>

          <br>

          I concur; moving keys not marked as CKA_EXTRACTABLE (at time

          of generation) is generally not supported (due to FIPS

          requirements).<br>

          <br>

                  jakob<br>

          <br>

          -- <br>

          Jakob Schlyter<br>

          Kirei AB - <a href="http://www.kirei.se" rel="noreferrer"

            target="_blank" moz-do-not-send="true">www.kirei.se</a><br>

          _______________________________________________<br>

          ksk-rollover mailing list<br>

          <a href="mailto:ksk-rollover@icann.org" target="_blank"

            moz-do-not-send="true" class="moz-txt-link-freetext">ksk-rollover@icann.org</a><br>

          <a href="https://mm.icann.org/mailman/listinfo/ksk-rollover"

            rel="noreferrer" target="_blank" moz-do-not-send="true"

            class="moz-txt-link-freetext">https://mm.icann.org/mailman/listinfo/ksk-rollover</a><br>

          <br>

          _______________________________________________<br>

          By submitting your personal data, you consent to the

          processing of your personal data for purposes of subscribing

          to this mailing list accordance with the ICANN Privacy Policy

          (<a href="https://www.icann.org/privacy/policy"

            rel="noreferrer" target="_blank" moz-do-not-send="true"

            class="moz-txt-link-freetext">https://www.icann.org/privacy/policy</a>)

          and the website Terms of Service (<a

            href="https://www.icann.org/privacy/tos" rel="noreferrer"

            target="_blank" moz-do-not-send="true"

            class="moz-txt-link-freetext">https://www.icann.org/privacy/tos</a>).

          You can visit the Mailman link above to change your membership

          status or configuration, including unsubscribing, setting

          digest-style delivery or disabling delivery altogether (e.g.,

          for a vacation), and so on.<br>

        </blockquote>

      </div>

      <br>

      <fieldset class="moz-mime-attachment-header"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

ksk-rollover mailing list

<a class="moz-txt-link-abbreviated" href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a>

<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/ksk-rollover">https://mm.icann.org/mailman/listinfo/ksk-rollover</a>

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>

    </blockquote>

    <p><br>

    </p>

  </body>

</html>