ietf
[Top] [All Lists]

Re: PKCS#11 URI slot attributes & last call

2014-12-18 10:30:14
On Wed, 17 Dec 2014, Nico Williams wrote:

     I will draft new text including the slot-id attribute first 
and send it here but will not file it yet.

        hi, as Nikos mentioned yesterday, we discussed slot attributes 
in the past.  It was in Nov 2010 and I forgot about it.  It was a long 
discussion, 20+ emails, and I think the following summarizes it:

        - slot ID is unstable so its use is limited or even dangerous
        - slot description might be ok but it would still be better to 
choose slot simply via a number if needed (ie. not via URI)
        - exiting attributes are enough to identify what we need

        after giving it significant time thinking about it today I'd 
still add attributes for token description, manufacturer, and ID for 
this reasons:

        (1) as in pam_pkcs11 case, there will be scenarios where slot 
information will be needed.  It would be nice if it could be provided 
via a PKCS#11 URI when we can do that for objects, tokens, libraries 
and even PKCS#11 module paths.

        (2) neither slot description nor manufacturer is enough to 
uniquely identify a slot and it does not have serial number as a 
token.  While generally unstable, slot-id may be the only way to 
uniquely identify a slot.  If stability is provided either in the 
module or externally, its use may be justified in such scenarios.

        (3) if we do not add slot attributes people will keep asking 
about it

        I drafted new text so that we can see how it would look.  I 
think we should either add all 3 slot-* attributes or none.  The draft 
is attached and the diff as well.  There were more necessary changes 
but it basically comes to this:

@@ -216,10 +218,13 @@
   pk11-type            = "type" "=" *1("public" / "private" / "cert" /
                          "secret-key" / "data")
   pk11-id              = "id" "=" *pk11-pchar
+  pk11-slot-desc       = "slot-description" "=" *pk11-pchar
+  pk11-slot-id         = "slot-id" "=" 1*DIGIT
+  pk11-slot-manuf      = "slot-manufacturer" "=" *pk11-pchar
   pk11-pin-source      = "pin-source" "=" *pk11-qchar
   pk11-pin-value       = "pin-value" "=" *pk11-qchar

@@ -292,6 +298,20 @@
    |                      | the token           | CK_TOKEN_INFO        |
    |                      |                     | structure            |
    +----------------------+---------------------+----------------------+
+   | slot-description     | slot description    | "slotDescription"    |
+   |                      |                     | member of            |
+   |                      |                     | CK_SLOT_INFO         |
+   |                      |                     | structure            |
+   +----------------------+---------------------+----------------------+
+   | slot-id              | Cryptoki-assigned   | decimal number of    |
+   |                      | value that          | "CK_SLOT_ID" type    |
+   |                      | identifies a slot   |                      |
+   +----------------------+---------------------+----------------------+
+   | slot-manufacturer    | ID of the slot      | "manufacturerID"     |
+   |                      | manufacturer        | member of            |
+   |                      |                     | CK_SLOT_INFO         |
+   |                      |                     | structure            |
+   +----------------------+---------------------+----------------------+
    | token                | application-defined | "label" member of    |

@@ -332,6 +352,13 @@
    version number is mandatory.  Both "M" and "N" must be decimal
    numbers.

+   Slot ID is a Cryptoki-assigned number that is not guaranteed stable
+   across PKCS#11 module initializations.  However, slot description and
+   manufacturer ID may not be enough to uniquely identify a specific
+   reader.  In situations where slot information is necessary use of
+   "slot-id" attribute may be justified if sufficient slot ID stability
+   is provided in the PKCS#11 provider itself or externaly.

    An empty PKCS#11 URI path attribute that does allow for an empty

@@ -506,6 +534,10 @@
       minor version.  Resulting minor and major version numbers must be
       then separately compared numerically.

+   o  value of attribute "slot-id" must be processed as a specific
+      scheme-based normalization permitted by Section 6.2.3 of [RFC3986]
+      and compared numerically.
+

@@ -602,6 +634,12 @@
             manufacturer=Snake%20Oil,%20Inc.
             ?pin-value=the-pin

+   In the context where a slot is expected the slot can be identified
+   without specifying any PKCS#11 objects in any token it may be
+   inserted in it.
+
+     pkcs11:slot-description=Sun%20Metaslot
+


        I really appreciate time you already spent reviewing this ID 
and I'm not happy to do such last minute changes.  I hope this last 
one would be worth it.

        regards, Jan.

-- 
Jan Pechanec <jan(_dot_)pechanec(_at_)oracle(_dot_)com>

Attachment: pkcs11-uri-draft-16-17.diff
Description: Text document

Attachment: draft-pechanec-pkcs11uri-17.txt
Description: Text document