RE: [pkcs11-comment] CKA_WRAP_WITH_TRUSTED and changing its value

[<john.hughes@secid.co.uk>]

Thanks Daniel for getting back to me on this.

 

I have been doing a lot of testing of various PKCS#11 tokens over the last few years – and this is one of the issues I came up with.

 

If I find any other issues have you an approx. timescale by which issues for 3.2 need to be submitted by?

 

Regards

 

 

John

From: Daniel Minder <Daniel.Minder@utimaco.com>
Sent: 16 March 2021 20:16
To: john.hughes@secid.co.uk; pkcs11-comment@lists.oasis-open.org
Subject: RE: [pkcs11-comment] CKA_WRAP_WITH_TRUSTED and changing its value

 

John,

 

Thanks for bringing up this issue. The PKCS #11 Technical Committee has discussed it and approves the following response:

 

The PKCS #11 Technical Committee has identified several unclarities with respect to the changeability of an attribute – and CKA_WRAP_WITH_TRUSTED is just one of them. For example, is there a difference between footnote 8 and mentioning the ability to modify a certain attribute in the text? There should be a uniform way to specify this.

 

Since PKCS #11 standard 3.1 does not accept new contributions necessary rework is pushed to version 3.2, which will start soon.

 

Kind regards,

Daniel

 

 

From: pkcs11-comment@lists.oasis-open.org <pkcs11-comment@lists.oasis-open.org> On Behalf Of john.hughes@secid.co.uk
Sent: Freitag, 15. Januar 2021 17:35
To: pkcs11-comment@lists.oasis-open.org
Subject: [pkcs11-comment] CKA_WRAP_WITH_TRUSTED and changing its value

 

I am testing lots of different devices and tokens against  PKCS#11 2.40.

 

Progressing well – but something has come up that I don’t quite understand about the standard – and this pertains to version 3.0

 

I note the role of note 8 in table 10 – together with the nuances involving notes 11 and 12.

 

One of my test groups goes through different object types and establishes what attributes can be get and set with C_GetAttributeValue and C_SetAttributeValue and seeing if the correct CK_RV code is returned.

 

This in particular is important when trying to change an attribute value when it doesn’t have note 8 assigned from table 10.

 

The weird thing concerns the CKA_WRAP_WITH_TRUSTED attribute – which doesn’t have a note 8 associated with it – although it has a note 11.

 

All the other attributes that have either note 11 or note 12 assigned to them – also have a note 8.   Meaning that the attribute can be changed.  This pertains to CKA_EXTRACTABLE and CKA_SENSITIVE

 

But because CKA_WRAP_WITH_TRUSTED  doesn’t have a note 8 on it – then it can’t be changed and a CKR_ATTRIBUTE_READ_ONLY error should be returned. 

 

So my question is whether CKA_WRAP_WITH_TRUSTED  should have a note 8 assigned to it – or is having note 11 assigned to be not needed and the attribute value can only be set on object creation

 

John

 

---

Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Martin Stamm CFO

This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.