Clarification on MaximumNumberOfKeys capability

[bsriramprasad]

Ref to capability "MaximumNumberOfKeys"

Example use case

• Assume device sets the capability to 4?
• Say if device supports RSA 4096 (biggest key) AND ECC 256 (smallest key) as key type and key length.
• In the space reserved for say 4 RSA 4096 keys, client can make (device can allow) a lot more ECC keys (>4) than RSA 4096 and hence the max limit is not reflecting the actual key creation capability.
• There is no existing structure in current schema that reflects max keys per [type + length] combination that's possible to make in the available space.

Question
Should the MaximumNumberOfKeys capability presented by device reflect max number of RSA 4096 keys that device can accommodate in parallel/simultaneously? or should it represent the max number of ECC 256 keys that device can accommodate in parallel/simultaneously?

Clarification?

• Can we assume or clarify if static capability reflects the maximum number of keys that device can accommodate if all the keys created takes max size? OR
• Can we assume or clarify if static capability reflects maximum number of keys of the smallest supported key size if all the keys created takes min space?

Would be good to create some clarification to make sure implementors bring in some consistency and interoperability.

[venki5685]

can we make it simple. If a device sets the MaximumNumberOfKeys capability to 4, it should allow creating up to 4 keys in total—this may be 4 RSA keys (4096-bit) or 4 ECC keys (256-bit), or any combination of RSA and ECC keys, as long as the total does not exceed 4.
However, if the device supports creating fewer RSA keys than ECC keys (for example, up to 4 ECC keys but only 2 RSA keys), then the MaximumNumberOfKeys capability should be set to the lower supported limit (in this case, 2 keys).

[HansBusch]

WG does not see a generic better approach. To be further discussed.