OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: FIPS-180-3 and PKCS #11.


We've been made aware of some potential changes we may need in the PKCS #11 spec to handle FIPS-180-3. At this point we aren't quite sure they are necessary (because the Guidance hasn't been written yet), but it got us thinking that this change may not be the only change driven by FIPS-180-3, and then many others in the working group may face similar issues.

I'd like to propose we collect all the feedback we are getting from out labs, and even if we need to do a one off vendor specific thing, we collect that in a wiki and make FIPS-180-3 a focus of PKCS #11 v3.2. We would collect the requirements now so we can build proposed solutions in the 3.2 (or 3.3 ) time frame.

The requirement I tripped across was the requirement to programmatically indicate which functions and modes are fips validated. This has been traditionally handled in the Security Policy. Exactly what is needed isn't yet known, but I can envision a function that returns a MechanismInfo that applies to the algorithm as it was validated (maybe restricted key sizes, or restricted flags (AES_GCM, for instance may only have the CKF_MESSAGE_DECRYPT flag and not the CKF_DECRYPT flag)).




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]