Re: [pkcs11] C_ChangeLabel/C_ClearToken

[Michael StJohns <msj@nthpermutation.com>]

On 5/9/2013 5:47 PM, Dina Kurktchi wrote:
> Hi,
>
> Is there interest in adding (at least) 2 more functions
> to the PKCS#11 specification:
>
> a) C_ChangeLabel - to change the token label, without
>     emptying its contents (i.e., not C_InitToken)
I'd probably suggest doing this through a CKA_LABEL attribute on a 
"hardware" object that represents the token.   Maybe something like 
CKA_CLASS = CKO_HW_FEATURE and  CKA_HW_FEATURE_TYPE = CKH_TOKEN_LABEL  
or maybe more general CKH_TOKEN_DATA with a CKA_LABEL as one of the 
attributes.

Use C_SetAttributeValue to set/get it.
> b) C_ClearToken - to explicitly empty all the objects
>     currently on a token but leave it otherwise
>     intact (i.e., again, not C_InitToken)
This is pretty easy to implement through C_FindObjects/C_DestroyObject.  
Is there a specific reason this would need to be an atomic operation?

Another way (rather than a new command) might be to have a "CKA_CLEAN" 
boolean attribute on that hardware feature that does the erase when you 
set the value of the attribute to TRUE.  Or you can have a CK_LONG where 
you have a mask of items  (keys, certs) where you can clear all of that 
group of objects.

Regardless of how you do it, you need to be clear on exactly what goes 
away when.

> If there is interest, then we can pursue the idea, make
> it pretty, and so on.

In some ways, renaming a token may be a bad idea from a security point 
of view.  You may want to limit this to the CKU_SO login if you permit 
it at all.  That, in the final analysis, may be the main reason for not 
pursuing the idea.

Mike

> Thanks,
> D.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that 
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php