OASIS-pkcs11@ConnectedCommunity.org
Contacts
Chair: Valerie Fenwick, Apple, Inc.
vfenwick@apple.com
Chair: Robert Relyea, Red Hat
rrelyea@redhat.com
OASIS Staff Contact: Kelly Cullinane
kelly.cullinane@oasis-open.org
Description
Enhancing PKCS #11 standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, biometric data)
Group Notes
Table of Contents
Announcements
PKCS #11 Specification Version 3.1 and Profiles Version 3.1 OASIS Standards are now published. For details, see the announcement.
PKCS #11 Specification Version 3.1 is now published as Committee Specification 01. For details, see the announcement.
PKCS #11 Profiles Version 3.1 is now published as Committee Specification 01. For details, see the announcement.
OASIS has issued a press release on the new PKCS 11 OASIS Standards: OASIS Approves Four Public-Key Cryptography (PKCS) #11 Standards: Cisco, Cryptsoft, Dell, Fornetix, nCipher, Oracle, P6R, Red Hat, and Others Advance Widely Used Authentication Standards. The release is available here.
PKCS #11 Cryptographic Token Interface Base Specification Version 3.0, PKCS #11 Cryptographic Token Interface Profiles Version 3.0, PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 3.0, and PKCS #11 Cryptographic Token Interface Historical Mechanisms Specification Version 3.0 are now published OASIS Standards.
PKCS #11 Cryptographic Token Interface Base Specification Version 3.0, PKCS #11 Cryptographic Token Interface Profiles Version 3.0, PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 3.0, and PKCS #11 Cryptographic Token Interface Historical Mechanisms Specification approved as Committee Specifications.
Latest Advances in OASIS KMIP and PKCS #11 Encryption and Cryptographic Standards Demonstrated by 10 Companies at RSA Conference 2018: Cryptsoft, Fornetix, IBM Security, Kryptus, Micro Focus, P6R, Quintessence Labs, Thales eSecurity, Unbound Tech, and Utimaco Demo KMIP Interoperability and/or PKCS #11 Support; 16 April 2018
The PKCS #11 TC has published Approved Errata for PKCS #11 Cryptographic Token Interface Base Specification, Current Mechanisms Specification, and Historical Mechanisms Specification, all Version 2.40. The Base Specification includes the new normative computer language definition files (aka "header files"). For details and links, see the announcement at https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc. [28 June 2016]
The PKCS#11 Technical Committee passed a motion to recognize Bob Griffin as Chair Emeritus. Thank you, Bob, for all your hard work to get this committee started!
OASIS Press Release: PKCS #11 Cryptographic Token Interface Base Specification, Interface Profiles, Current Mechanisms Specification, and Historical Mechanisms Specification Versions 2.40 become OASIS Standards.
Participation in the OASIS PKCS 11 TC is open to all interested parties. Contact join@oasis-open.org for more information.
Overview
The OASIS PKCS 11 Technical Committee develops enhancements to improve the PKCS #11 standard for ease of use in code libraries, open source applications, wrappers, and enterprise/COTS products: implementation guidelines, usage tutorials, test scenarios and test suites, interoperability testing, coordination of functional testing, development of conformance profiles, and providing reference implementations.
The updated standard provides additional support for mobile and cloud computing use cases: for distributed/federated applications involving key management functions (key generation, distribution, translation, escrow, re-keying); session-based models; virtual devices and virtual keystores; evolving wireless/sensor applications using near field communication (NFC), RFID, Bluetooth, and Wi-Fi.
TC members are also designing new mechanisms for API instrumentation, suitable for use in prototyping, profiling, and testing in resource-constrained application environments. These updates enable support for easy integration of PKCS #11 with other cryptographic key management system (CKMS) standards, including a broader range of cryptographic algorithms and CKMS cryptographic service models.
For more information on the PKCS 11 TC, see the TC Charter.
Subcommittees
PCKS 11 Interoperability Subcommittee
TC Liaisons
Tim Hudson (Cryptsoft) has been appointed by the PKCS 11 TC as liaison to the OASIS KMIP TC.
Technical Work Produced by the Committee
Wiki for OASIS PKCS 11 TC member collaboration
The Technical Committee has produced two new OASIS Standards for PKCS11 version 3.1.
PKCS #11 Specification Version 3.1
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html
PKCS #11 Profiles Version 3.1
https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.1/os/pkcs11-profiles-v3.1-os.html
PKCS #11 Specification Version 3.1
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/pkcs11-spec-v3.1-cs01.html
PKCS #11 Profiles Version 3.1
https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.1/cs01/pkcs11-profiles-v3.1-cs01.html
The Technical Committee has produced four new OASIS Standards, encompassing PKCS11 version 3.0.
PKCS #11 Cryptographic Token Interface Base Specification Version 3.0
https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html
PKCS #11 Cryptographic Token Interface Profiles Version 3.0
https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/os/pkcs11-profiles-v3.0-os.html
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 3.0
https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html.
PKCS #11 Cryptographic Token Interface Historical Mechanisms Specification Version 3.0
https://docs.oasis-open.org/pkcs11/pkcs11-hist/v3.0/os/pkcs11-hist-v3.0-os.html.
For your convenience, OASIS provides a complete package of the specification documents and any related files in ZIP distribution files. You can download the ZIP files at:
Base Specification: https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.zip
Profiles: https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/os/pkcs11-profiles-v3.0-os.zip
Current Mechanisms: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.zip
Historical Mechanisms: https://docs.oasis-open.org/pkcs11/pkcs11-hist/v3.0/os/pkcs11-hist-v3.0-os.zip
This Technical Committee has produced four new OASIS standards, encompassing PKCS11 version 2.40.
Also, the PKCS #11 V2.30 principal input specification referenced in the TC Charter was contributed on 2013-03-04.
PKCS #11 V2.40
The latest documents for PKCS #11 V2.40 are official OASIS standards as of April 2015. This standard builds on the foundation of PKCS #11 V2.30, and is backwards compatible to PKCS #11 V2.20. Additionally, there is a Usage Guide to accompany those specifications. The Usage Guide is a Committee Note.
PKCS #11 V2.40 Approved Errata
The PKCS11 TC has published Approved Errata for PKCS #11 V2.40. See the announcement at https://www.oasis-open.org/news/announcements/pkcs-11-v2-40-approved-erratas-published-by-pkcs-11-tc or use the links below.
Expository Work Produced by the Committee
External Resources
The header files can be found in the PKCS#11 git repo: https://github.com/oasis-tcs/pkcs11
If you do not want to do a pull, but just review the header files, you may access the versioned working files here:
Mailing Lists and Comments
pkcs11: the discussion list used by TC members to conduct Committee work. TC membership is required to post, and TC members are automatically subscribed. The public may view the list archives, also mirrored by MarkLogic at MarkMail.org.
pkcs11-comment: a public mailing list for providing feedback on the technical work of the OASIS PKCS 11 TC. Send a comment or view the comment list archives, also mirrored by MarkLogic at MarkMail.org.
Press Coverage and Commentary
- RSA 2017 Features Huge Demonstration of Support for Cyber Threat Intelligence, Encryption, and Cryptography Standards as 24 OASIS Member Companies Collaborate. Cryptsoft, Feitan, Fornetix, Hancom Secure, Hewlett Packard Enterprise (HPE), IBM, Kryptus, Oracle, Quintessence Labs, SafeNet, Utimaco, and Watchdata Demo KMIP Interoperability and/or PKCS #11 Support. 13 Feb 2017.
- Latest advances in OASIS KMIP and PKCS #11 Encryption and Cryptographic Token Interface Standards Demonstrated by Twelve Companies at RSA 2016: Interoperability Between Cryptosense, Cryptsoft, Feitian, Fornetix, Hewlett Packard Enterprise (HPE), IBM, Oracle, P6R, Quintessence Labs, SafeNet, Townsend Security, and Utimaco Products on Display; 29 Feb 2016
- Twelve Companies Demonstrate Interoperability for OASIS KMIP and PKCS #11 Encryption and Cryptographic Token Interface Standards at RSA 2015: Cryptosense, Cryptsoft, Dell, Feitian, Fornetix, HP, IBM, Oracle, P6R, Thales, Utimaco, and Vormetric Collaborate to Prove Multi-Vendor Interoperability; 21 Apr 2015
- Eleven Companies Demo Interoperability for KMIP and PKCS #11 OASIS Standards at RSA Conference 2014: Cryptosense, Cryptsoft, Dell, Feitian, HP, IBM, P6R, Oracle, SafeNet, Thales e-Security, and Vormetric Show Support for Key Management and Cryptographic Token Interface Standards; 24 Feb 2014
Technical Committee Standing Rules
- PKCS11 Technical Committee Standing Rule on Identifier Allocation
The PKCS11 technical specifications have several constants defined throughout the standard. Those constants are then used to create the header files for each version of the standard. There is a need for these values to be stable in order to maintain compatibility between various versions of the standard, and interoperability between various vendors and applications.
To assist developers who are working on testing new additions to the standard and for interoperability testing, it is important to stabilize the identifiers used for these constants as early in the process as possible.
After a proposal has gone through its review process, but before it goes to ballot or voice vote, the proposal author(s) should seek identifier values for all of their constants from the technical committee co-chairs before the ballot is opened.
If a proposal is not approved by the technical committee, it will be the co-chairs discretion whether or not to reuse those constant identifier values for a future proposal.
Additional Information