Sounds good, but I suppose we still need to select the keys somehow
(using the certs) through the CryptoAPI CSP and RSA CrypTokI
interface,
so that the applications are satisfied.
It looks like you've been painted into a corner by the
selection of software you have to use. The solution using
other software is fairly simple, but if you're stuck with
using CryptoAPI and have various other constraints I don't
really know what you could do, sorry. I guess saying "Don't
do that then" isn't much help :-).
Yep. Although I don't know of any other non-proprietary
crypto-interfaces that have "widespread" application support so I don't
really see another way around the problem other than put pressure on the
application vendors.
And putting this pressure would be greatly helped by you guys at IETF
PKIX & SMIME if you would draft up a paper about the subject. It could
be part of SMIME specs but I would like to see it a part of PKIX specs,
since the same issue is present when building certification paths during
certificate verification process, as well as when making the call wether
to trust the presented CA certificate or not..
Saku.