[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] New Mechanisms subgroup Part 3 or 4, new AES
On 5/1/2013 11:01 AM, mark powers wrote:
I think that adding a mode simply because you don't want to move bits around is probably a bad idea.I believe there is value in being able to connect mechanisms mentioned in a spec to mechanisms supported by PKCS11. Not everyone is going to dig deeper to figure out that mechanism X is the same as Y whencertain parameters are set. I'm obviously wearing "marketing" hat today.
The issue here is there are lots of mechanisms that use truncated hashes or MACs. Rather than put in possibly 100 new mechanisms, I'd much rather generalize the mechanisms so that we can subsume all of those.
So instead of CKM_AES_XCBC_MAC_96 let's do CKM_AES_XCBC_MAC_GENERAL as that seems to be the common approach.
In the same way, I'm thinking that it might be useful to define a generic signature mechanism in which you specify separately the summary (hash mechanism with padding) and the actual public key operation as part of the mechanism info. That would give a path for new hash/PK combos without waiting for PKCS11 to act.
Mike
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]