CKA_DESTROYABLE

[Michael StJohns <msj@nthpermutation.com>]

I've started work on the 3.0 "protection attributes" section.  As part of that, I ended up writing a description of the CKA_DESTROYABLE attribute - and that made me think about some interesting interactions with CKA_TOKEN.

I'm half thinking that we need to update the description of CKA_DESTROYABLE for 2.4 as I don't think we covered this properly.

(I've got CKA_DESTROYABLE as a sticky attribute with the sticky value being CK_FALSE and the unset default value being CK_TRUE)

Here's what I've written on this:

CKA_DESTROYABLE

This attribute controls the use of the C_DestroyObject command on the containing object.  The command may only be used on the object if the value of CKA_DESTROYABLE of the object being destroyed is set to CK_TRUE.  If this attribute is set to CK_FALSE, then if the CKA_TOKEN attribute is set to CK_TRUE (e.g. the object is a token object), the object is persistent until the token is reinitialized through a call to C_InitToken, or zeroized through non-PKCS11 means.  Otherwise, if the object is a session object, setting the attribute to CK_TRUE causes the object to persist until the session is terminated.

If a non-destroyable session object is changed to a token object, unless the call to C_SetAttributeValue includes a specific setting for CKA_DESTROYABLE, the call will remove the setting for that attribute on the token object (e.g. the object will take on the default value for CKA_DESTROYABLE).  This ensures that an implementation will not inadvertently create non-destroyable token objects.

If a non-destroyable object is also a token object, it may NOT be changed into a session object.  E.g., if a token object is non-destroyable, its CKA_TOKEN attribute is read-only and has a value of CK_TRUE.

Thoughts?

Mke