Rudi, I need to correct your ideas about CCA and EP11:
> As far as I understood, CCA allows you to get the clear key, while PKCS (EP11 ?) is more severe.
Both CCA and EP11 are what we call "Secure Key" architectures. That means that they both keep your keys very secure, and never expose cleartext keys. CCA has no function that will ever provide the cleartext value of a key.
The main difference between CCA and EP11 is the intended use. EP11 is an implementation of the general-purpose PKCS#11 API. It is particularly useful when working with "generic" applications that are written to use that API and to be portable between different kinds of computer systems and cryptographic providers. CCA also supports a full set of general-purpose cryptographic functions, but it is designed with a focus on the many special needs of cryptography in the banking and payments industries. There are many functions that are required in that area which cannot be done with a generic API like PKCS#11.
ToddArnold