On Wed, 2016-01-13 at 06:05 -0800, Tadeusz Struk wrote: > > I agree, ideally keyctl should do the job for all the cases and > request_key() should just return a key data. No, you can NOT RELY ON HAVING THE KEY DATA. It might be in hardware. You might have something which will perform sign/verify/encrypt/decrypt operations *with* the key at your request, but which can never just *give* you the key. Any crypto API which relies on *having* the key is fundamentally wrong. -- dwmw2
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
