OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pkcs11] Re: [External] : [pkcs11] FIPS indicators


On 5/27/21 2:46 AM, Darren J Moffat wrote:

Why would we need a new function for an FIPS indicator ?

For a session could we use a flag that can be reported via the CK_SESSION_INFO ?

Similarly a flag for CK_MECHANISM_INFO to indicate if the slot/token combination allows it to provide services in a FIPS 140 compatible way.

Then for keys an attribute CKA_FIPS140_3 that takes an appropriate value, maybe similar to how CKA_ALWAYS_SENSITIVE works.

What am I missing with the above that a new C_GetFIPSStatus() provides that the above doesn't ?

Hmm, I only thought about the attribute recently, Adding the new attribute would handle the object setting. I'll have to think about session info. It's likely we can do it with 2 flags (CKF_FIPS_OK, CKF_LAST_FIPS_OK). The rest of the document still applies, but that seems a reasonable addition (assuming we can extend CK_SESSION_INFO in a ABI compatible way).

Darren




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]