Usage notes
The usage notes for CSNDT34B.
The TR-34 Bind-Begin verb is used to perform these operations:
- BINDCR: The TR34 BIND token (CT-KDH) CREATE service.
- CT-KRD: (INPUT, input_token). Credential token received from KRD, containing Cred-KRD.
- CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
- CredKDH: (INPUT, cred_kdh). KDH credential (X.509 certificate) with ID and public key.
- CredKRD: (OUTPUT, cred_krd). (X.509 certificate) needed for future key distribution calls.
- CT-KDH: (OUTPUT, output_token). BIND token in DER format.
- UNBINDCR: The TR34 UNBIND token (UBT-KDH) CREATE service.
- RT-KRD: (INPUT, input_token). Random number token received from KRD.
- CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
- CredKDH: (INPUT, cred_kdh). KDH credential (X.509 certificate) with ID and public key.
- CredKRD: (INPUT, cred_krd). KRD credential (X.509 certificate) with ID and public key.
- D-kdh: (INPUT, private_key_identifier). Private key to sign data block.
- UBT-KDH: (OUTPUT, output_token) UNBIND token in DER format.
- REBINDCR: The TR34 REBIND token (RBTKDH) CREATE service.
- RT-KRD: (INPUT, input_token). Random number token received from KRD.
- CRL-CA: (INPUT, crl). Certificate Revocation List from CA.
- CredKDH-new: (INPUT, cred_kdh). New KDH credential (X.509 certificate) with ID and public key.
- CredKDH-old: (INPUT, old_cred_kdh). Old KDH credential (X.509 certificate) with ID and public key.
- CredKRD: (INPUT, cred_krd). KRD credential (X.509 certificate) with ID and public key.
- D-kdh: (INPUT, private_key_identifier). Old private key, needed to sign the REBIND data block.
- RBT-KDH: (OUTPUT, output_token) REBIND token in DER format.
Notes:
- This verb supports PCI-HSM 2016 compliant-tagged key tokens.
- The RT-KRD token can be created with correct formatting using the RT-KRD processing of the CSNBRNGL service. See Random Number Generate Long (CSNBRNGL) for more details.
- RSA 2048 bit and 3072 bit keys are supported by CCA. This allows strength equivalent to an AES 128-bit key. TR-34 explicitly supports only RSA 2048-bit keys. So some vendors only support that key size.