Usage notes

Usage notes for CSNBDKG2.

Starting with CCA 8.1, the generated_key_identifier takes its compliance-tagged property from the generating_key_identifier, resulting in the following behavior:

  1. If the generating key is compliance-tagged, but the generated key skeleton is not compliance-tagged, then the generated key is compliance-tagged.
  2. If the generating key is not compliance-tagged, but the generated key skeleton is compliance-tagged, then the generated key is not compliance-tagged.

When using TR-31 key tokens, the following applies:

  • When the generated_key_identifier1 parameter contains a skeleton TR-31 token:
    • If the generating_key_identifer does not contain the DA optional block, then the skeleton TR-31 token in generated_key_identifier1 is only checked against the allowed key usage values for the CSNBDKG2 verb.
    • Else if the generating_key_identifer contains the DA optional block, the generated_key_identifier1 skeleton is also checked against the allowed key block header configurations contained in the DA optional block. The skeleton attributes must be an exact match for one of the derivations in the optional block. If an exact match is not found, an error is thrown.
  • When the generated_key_identifier1 parameter contains a NULL token, the CSNBDKG2 service builds the generated_key_identifier1 according to the allowed configuration specified in the generating_key_identifer. For this case the generating_key_identifer must contain the DA optional block, and the DA optional block must contain exactly one allowed configuration.