On 8/14/2013 4:50 AM, Oscar So wrote:
Michael,
I have a few questions:
1)
Has anyone question you or comment about this proposal ?
Not so far.
2)
For CKA_UUID, it means, universally unique ID, right ? If that's
the case, what is scope of this uniqueness ? I mean, you cannot
guarantee the uniqueness across the internet, but perhaps, within
a scope.
It's only necessary to be unique within the token. I was going to
reference the UUID RFC4122 and suggest using either a SHA based UUID
or a clock based UUID. Given that I spec'd this as 128 bits, if
this were simply a random number it would probably (very very large
probably) be globally unique.
3)
For CKA_UUID and CKA_WRAP_WITH_UUID, can the implementor choose
not to implement this field ? Can it be of type CK_BYTE_PTR or
something ? Or, when the whole thing is zero 0x00000000000....000,
it means, not applicable ?
You have to have CKA_UUID to use CKA_WRAP_WITH_UUID. The former is
sort of mandatory to implement if you want to do the latter. But
there is no requirement to tag any key with CKA_WRAP_WITH_UUID if
you don't want to.
(More on this later - running for the plane now).
Mike
Thanks,
Oscar
On 08/ 1/13 06:54 AM, Michael StJohns wrote:
Submitter's message
This is the formal submission for CKA_UUID and
CKA_WRAP_WITH_UUID. It is also the formal submission for
CKA_DERIVE_TEMPLATE (not previously described) and a slight
update in the wording for CKA_UNWRAP_TEMPLATE with respect to
how that template can be changed.
-- Michael StJohns
Document Name:
pkcs11-cka_uuid-wrapWithUUID-cka-derive-template.docx
Description
Three items here, but did this as a single document
since the edits were
all in this section:
1) Fixing the text on CKA_UNWRAP_TEMPLATE to indicate it
can be set once
and then is read-only.
2) Adding CKA_UUID and CKA_WRAP_WITH_UUID. The first
attribute marks each
key with a pseudo-random UUID that changes anytime the
key changes. The
second points to the first for the purpose of uniquely
identifying a key
that can be used to wrap this key.
3) Added CKA_DERIVE_TEMPLATE. This exactly mirrors
CKA_UNWRAP_TEMPLATE in
that it is applied to a key derived from the key this
attribute is on.
This is necessary to set things like the sensitivity or
extractability of
derived keys.
Download
Latest Revision
Public
Download Link
Submitter:
Michael StJohns
Group: OASIS PKCS 11 TC
Folder: Working Drafts
Date submitted: 2013-08-01 06:54:29
|
|