OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pkcs11] Proposal: CKM_RSA_PKCS_FIPS_186_4

Oscar,

I was wrong -- the compatibility is definitely there, so no issues there.

I think the bigger problem is that this standard restricts not only key sizes, but also key usages -- to the point even where a key which is used to perform an X9.31 signature, is not allowed to perform an RSASSA-PSS signature?  I think that's too much to expect.

So I go back to my original assertion about all these FIPS 186-4 mechanisms -- I think that having P11 mechanisms tied to this standard is too restrictive and could be better handled using profiles instead.

Thanks,

Bob

> -----Original Message-----
> From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org] On
> Behalf Of Burns, Robert
> Sent: Thursday, August 01, 2013 10:55 AM
> To: oscar.so@oracle.com; pkcs11@lists.oasis-open.org
> Subject: RE: [pkcs11] Proposal: CKM_RSA_PKCS_FIPS_186_4
> 
> Oscar,
> 
> Similarly, I am wondering if having a mechanism which is identical to
> CKM_RSA_PKCS, but restricts key sizes is an appropriate restriction?  Also, I
> am not 100% confident that CKM_RSA_PKCS is compatible with the
> restrictions put forth in 186-3/4 -- I'll look into this.
> 
> Finally, I think the hard problems that 186-3/4 puts forth is in key generation
> rather than algorithm usage -- so something to think about.
> 
> Thanks,
> 
> Bob
> 
> > -----Original Message-----
> > From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org]
> > On Behalf Of Oscar K So Jr.
> > Sent: Wednesday, July 31, 2013 5:10 PM
> > To: pkcs11@lists.oasis-open.org
> > Subject: [pkcs11] Proposal: CKM_RSA_PKCS_FIPS_186_4
> >
> > Proposal: CKM_RSA_PKCS_FIPS_186_4
> >
> > FIPS-183-4 algorithms:
> > http://www.ofr.gov/OFRUpload/OFRData/2013-17396_PI.pdf
> >
> > This mechanism is equivalent to: CKM_RSA_PKCS
> >
> >
> >
> > --
> >
> > Best,
> > Oscar
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-
> open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]