Re: PKCS#11 URI slot attributes & last call2014-12-18 10:30:14On Wed, 17 Dec 2014, Nico Williams wrote: I will draft new text including the slot-id attribute first and send it here but will not file it yet. hi, as Nikos mentioned yesterday, we discussed slot attributes in the past. It was in Nov 2010 and I forgot about it. It was a long discussion, 20+ emails, and I think the following summarizes it: - slot ID is unstable so its use is limited or even dangerous - slot description might be ok but it would still be better to choose slot simply via a number if needed (ie. not via URI) - exiting attributes are enough to identify what we need after giving it significant time thinking about it today I'd still add attributes for token description, manufacturer, and ID for this reasons: (1) as in pam_pkcs11 case, there will be scenarios where slot information will be needed. It would be nice if it could be provided via a PKCS#11 URI when we can do that for objects, tokens, libraries and even PKCS#11 module paths. (2) neither slot description nor manufacturer is enough to uniquely identify a slot and it does not have serial number as a token. While generally unstable, slot-id may be the only way to uniquely identify a slot. If stability is provided either in the module or externally, its use may be justified in such scenarios. (3) if we do not add slot attributes people will keep asking about it I drafted new text so that we can see how it would look. I think we should either add all 3 slot-* attributes or none. The draft is attached and the diff as well. There were more necessary changes but it basically comes to this: @@ -216,10 +218,13 @@ pk11-type = "type" "=" *1("public" / "private" / "cert" / "secret-key" / "data") pk11-id = "id" "=" *pk11-pchar + pk11-slot-desc = "slot-description" "=" *pk11-pchar + pk11-slot-id = "slot-id" "=" 1*DIGIT + pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar pk11-pin-source = "pin-source" "=" *pk11-qchar pk11-pin-value = "pin-value" "=" *pk11-qchar @@ -292,6 +298,20 @@ | | the token | CK_TOKEN_INFO | | | | structure | +----------------------+---------------------+----------------------+ + | slot-description | slot description | "slotDescription" | + | | | member of | + | | | CK_SLOT_INFO | + | | | structure | + +----------------------+---------------------+----------------------+ + | slot-id | Cryptoki-assigned | decimal number of | + | | value that | "CK_SLOT_ID" type | + | | identifies a slot | | + +----------------------+---------------------+----------------------+ + | slot-manufacturer | ID of the slot | "manufacturerID" | + | | manufacturer | member of | + | | | CK_SLOT_INFO | + | | | structure | + +----------------------+---------------------+----------------------+ | token | application-defined | "label" member of | @@ -332,6 +352,13 @@ version number is mandatory. Both "M" and "N" must be decimal numbers. + Slot ID is a Cryptoki-assigned number that is not guaranteed stable + across PKCS#11 module initializations. However, slot description and + manufacturer ID may not be enough to uniquely identify a specific + reader. In situations where slot information is necessary use of + "slot-id" attribute may be justified if sufficient slot ID stability + is provided in the PKCS#11 provider itself or externaly. An empty PKCS#11 URI path attribute that does allow for an empty @@ -506,6 +534,10 @@ minor version. Resulting minor and major version numbers must be then separately compared numerically. + o value of attribute "slot-id" must be processed as a specific + scheme-based normalization permitted by Section 6.2.3 of [RFC3986] + and compared numerically. + @@ -602,6 +634,12 @@ manufacturer=Snake%20Oil,%20Inc. ?pin-value=the-pin + In the context where a slot is expected the slot can be identified + without specifying any PKCS#11 objects in any token it may be + inserted in it. + + pkcs11:slot-description=Sun%20Metaslot + I really appreciate time you already spent reviewing this ID and I'm not happy to do such last minute changes. I hope this last one would be worth it. regards, Jan. -- Jan Pechanec <jan(_dot_)pechanec(_at_)oracle(_dot_)com>
pkcs11-uri-draft-16-17.diff
draft-pechanec-pkcs11uri-17.txt
|
|