OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Recommendations for Issues #14, #15, #16, #18, and #19 for PKCS 11 v 3.0


Issue #14:

Definitions of CKK_MD5_HMAC, CKK_RIPEMD128_HMAC and CKK_RIPEMD160_HMAC were merged from draft of v2.30.
They were not present in v2.40 and currently are not described in the docs.

CKM_MD5_HMAC, CKM_RIPEMD128_HMAC, and CKM_RIPMEMD160_HMAC were all moved to historical mechanisms in 2.40. The are currently defined in the headers, but not in the document.

Option 1: Remove them from the headers and mark them reserved in our database.
Option 2: Update the Historical documents to include them in the Historical mechanism doc
Option 3: Option 2 and add the key generation mechanisms for them in both the Historical documents and the headers.
Recommendation: Option 1.

Issue #15

Definitions of CKK_SHA_1_HMAC, CKK_SHA256_HMAC, CKK_SHA384_HMAC, CKK_SHA512_HMAC, CKK_SHA224_HMAC were merged from draft of v2.30.
Their values were not present in v2.40. This should be at least mentioned in errata docs.

These were updated by Darren Johnson's SHA2 update proposal, balloc 10/26.

Recommendation: Close issue as fixed.

Issue #16


Definitions of CKM_ECDSA_SHA224, CKM_ECDSA_SHA256, CKM_ECDSA_SHA384 and CKM_ECDSA_SHA512 are completely new in v2.40e1 headers.
They were not present in any older version and currently are not described in the docs.
This may be a leftover from v2.30 headers (see #2).

This is still an issue.
Option 1: remove CKM_ECDSA_SHA224, CKM_ECDSA_SHA256, CKM_ECDSA_SHA384 and CKM_ECDSA_SHA512 from the header.
Option 2: Add definitions in the document for these mechanism.
Option 3: Option 2 plus add definitions for the SHA3 equivalents.
Recommendation: Option 3

Issue #18


Definitions of CK_AES_GCM_PARAMS and CK_AES_CCM_PARAMS structures are completely new in v2.40e1 headers and they are already marked as deprecated.
This may be a leftover from v2.30 headers (see #2). It is strange to see a new structure being introduced and deprecated in the same time.

These AES specific params were replaced by generic params for any GCM or CCM mechanism. Only the structs were renamed. The old names were part of v2.30, and maintaining them was part of a recognition to the legitimacy of 2.30. The issue was only that it was weird that they were added then deprecated, but that was our intention from the beginning.

Recommendation: Close issue as not an issue.

Issue #19


Definitions of CKD_SHA224_KDF, CKD_SHA256_KDF, CKD_SHA384_KDF, CKD_SHA512_KDF and CKD_CPDIVERSIFY_KDF are completely new in v2.40e1 headers.
This may be a leftover from v2.30 headers (see #2).


CKD_SHA224_KDF, CKD_SHA256_KDF, CKD_SHA384_KDF, CKD_SHA513_KDF are listed in table 34 in seciont 2.3.8 of the spec, but no text describes how they are use.
CKD_CPDIVERSIFY_KDF is described in GOSTR3410_DERIVE_PARAMS.

Recommendation: Add CKD_CPDIVERSIFY_KDF to the GOST R 34.10-2001 (section 2.45) Definitions, add CKD_SHAx_KDF to section 2.3.2 definitions. Add more general descriptions for CKD_SHAx_KDF to secion 2.3.8 rather than just CKD_SHA1_KDF



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]