[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] New Mechanisms subgroup Part 4 or 4, FIPS 186-3
On 4/30/2013 5:19 PM, Robert Relyea wrote:
Part 4 FIPS 186-3 restricted mechanisms.A new set of mechanism equivalent to: CKM_DSA, CKM_RSA_PKCS, CKM_ECDSA, CKM_ECDH1_COFACTOR_DERIVE. (possibly CKM_DSA_FIPS_186_3, CKM_RSA_FIPS_186_3, CKM_ECDSA_FIPS_186_3, CKM_ECDH_FIPS_186_3)These mechanism restrict their acceptable keys and key parameters to those defines in FIPS-186-3 only.
I went back and forth on this - this seems reasonable, but I don't think its the best approach. I'm thinking that instead if the module is in FIPS mode then the underlying mechanisms should behave as you suggest.
The reason for doing it without changing mechanism is so that you don't actually have to specially code the client side to support FIPS or even know if the module is in FIPS mode. If there's a mechanism where the FIPS restrictions are so onerous as to make this a different mechanism, I'd add the new codes, but mostly this gets subsumed under what keys and parameters the module supports and should be handled the same way as a general matter of coding (e.g. grab the mechanism info C_GetMechanismInfo for details on what's supported). Maybe add a flag to the mechanism info to indicate FIPS restrictions.
Mike
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]