Response to your questions on CKM_AES_XTS, CKM_RSA_PKCS_FIPS_186_4, and CKM_DSA_FIPS_186_4

["Oscar K So Jr." <oscar.so@oracle.com>]

Michael StJohns,

Note: I use "[QCR_xxx]" to keep track of every questions (Q), comments 
(C), and recommendations (R) internally so that we don't miss any of 
your QCR(s). You may ignore these.


[QCR_011] CKM_AES_XTS
You recommended: "You can reference both NIST SP800-38E and IEEE 
1619-2007, but if you do then you need to be clear which is controlling 
and how it differs from the other.  Given that the NIST document is a 
wrap-around for the IEEE document, I think you have to reference the 
IEEE one as a minimum.  If you reference the NIST document then you 
should probably do it like"

RESPONSE:
We agreed with you, and we will just reference "NIST SP800-38E" in the spec.


[QCR_012] CKM_RSA_PKCS_FIPS_186_4
You recommended: "A better way to deal with this is to set the 
ulMinKeySize parameter of the CK_MECHANISM_INFO for CKM_RSA_PKCS to 1024 
and to note - in the product guidance - that 1024, 2048 and 3072 are the 
only valid lengths when you're in FIPS mode.

The way I look at it is the client has to know whether or not the module 
is FIPS or not, and if it is, it's going to expect an error if it 
attempts to use the underlying mechanism for different values."

RESPONSE:
We agreed with you.


[QCR_013] CKM_DSA_FIPS_186_4
You recommended: "Same objection as to CKM_RSA_FIPS_186_4 proposal (in 
QCR_012)"

RESPONSE:
We agreed with you.
ulMinKeySize for DSA on tokens in FIPS mode should be 1024. Tokens 
should enforce the valid key lengths of 1024, 2048, and 3072 when keys 
are actually used to sign and verify.



--

Best,
Oscar