[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Re: [External] : [pkcs11] FIPS indicators
On 5/27/21 2:46 AM, Darren J Moffat wrote:
Hmm, I only thought about the attribute recently, Adding the new attribute would handle the object setting. I'll have to think about session info. It's likely we can do it with 2 flags (CKF_FIPS_OK, CKF_LAST_FIPS_OK). The rest of the document still applies, but that seems a reasonable addition (assuming we can extend CK_SESSION_INFO in a ABI compatible way).Why would we need a new function for an FIPS indicator ?For a session could we use a flag that can be reported via the CK_SESSION_INFO ?Similarly a flag for CK_MECHANISM_INFO to indicate if the slot/token combination allows it to provide services in a FIPS 140 compatible way.Then for keys an attribute CKA_FIPS140_3 that takes an appropriate value, maybe similar to how CKA_ALWAYS_SENSITIVE works.What am I missing with the above that a new C_GetFIPSStatus() provides that the above doesn't ?
Darren
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]