Daniel Minder and I discussed about Oscar’s comments that are listed as “Work Items deferred from PKCS11 3.1” on the 3.2 Wiki page. Daniel reminded me that he had gone through Oscar’s comments; at that time he had informed Tony and me about
the result of his analysis, but did not post it to the mailing list yet, and then forgot to do so. Please see the mail he had sent to Tony and me below.
Items #12 and #17 are fixed in PKCS#11 committee specification 3.1.
Items #6 and #14: To be discussed in the next TC meeting that (using Daniel’s words) “If we agree that we don’t fix any problems with the historic mechanisms #6 and #14 disappear.”
Tony, Dieter,
Oscar So did a review of the 2.40 errata (see his mail of May 29th, 2020 to the pkcs11 list), but when I looked at it that time I immediately recognized that there might be some errors in the review.
So, I re-reviewed now and most of the TODOs disappeared. (In fact, it seems nobody picked up the review and the TODOs so far?)
But this is what is left IMO:
#6: This is still valid, but KEA is a historic mechanism. There, in the definitions section it says "CKM_KEA_KEY_DERIVE", also in Table 1 at the very beginning, but in sections 2.3.2.1 and 2.3.6 it says "CKM_KEA_DERIVE". Problem is that
the headers has different values for CKM_KEA_KEY_DERIVE and CKM_KEA_DERIVE.
#12: In Word doc, field in CK_TLS_MAC_PARAMS is called prfMechanism, in header it's prfHashMechanism.
#14: HMACs with MD5, RIPEMD128 and RIPEMD160 are historic. CKK_MD5_HMAC, CKK_RIPEMD128_HMAC and CKK_RIPEMD160_HMAC are defined in the headers, but not used anywhere. In contrast, other HMAC keys (e.g. CKK_SHA256_HMAC), the general length
HMAC MD5/RIPEMD128/RIPEMD160 algorithms work only with generic secrets, but not with the special CKK_*_HMAC keys.
#17: CKA_DERIVE_TEMPLATE can still not be found in the base spec. However, we had an approved proposal in v3.0:
https://wiki.oasis-open.org/pkcs11/3.0WorkItems?highlight=%28CKA_DERIVE_TEMPLATE%29 Where did it go to?
If we agree that we don’t fix any problems with the historic mechanisms #6 and #14 disappear.
#12 can be seen as editorial issue and simply be fixed in the Word doc.
#17 has probably been forgotten last time. Since it is already approved editors can simply take and integrate it now.
I hope this was the only item we forgot to integrate in v3.0. Interesting that nobody recognized…
Best,
Daniel
Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0,
www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Martin Stamm CFO
This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.