Transaction-based Key Provisioning/Management

For any possible new ventures in this space it might be interesting to know
that the latest SKS Specification and Reference Implementation has been
updated to support fully "atomic" (transaction-based) key provisioning and
management which in practical terms means that:

1. Unless you get a power fail exactly during the <100 ms "commit" phase you
    will never end-up with a half-provisioned or broken key container.

2. SKS can provide a *cryptographically verifiable proof* to the issuer that
   the *entire* provisioning session was carried out "as requested".

First I was worried that deferring a lot of operations including pretty advanced
management dittos to "closeProvisiongSession" would be difficult but the
Reference Token implementation showed that this is actually piece of cake.

Well, it does though assume that you have megabytes of Flash storage
available, 64K RAM, as well as a speedy 32-bit processor but I consider
that reasonable since this is the state of consumer electronics these days.

This have strengthened my belief that there indeed is a point creating a specific
"Provisioning API" while leaving PKCS #11, JCE, and CryptoAPI intact
and supporting a "User API".

Although my intent was never to create new tokens, it turned out as a *necessity*.
Lucky for me, embedded systems were my first encounter with computer
technology so I had some (albeit *extremely dated*) experience to build on 

Anders Rundgren
http://webpki.org/auth-token-4-the-cloud.html