OASIS PKCS 11 TC

 View Only

  • 1.  Draft -07 review...

    Posted 12-18-2024 14:57

    FIPS indicators -

    • Section 4.8.2
      • Table "Common Key Attributes"
        • CKA_VALIDATION_FLAGS needs footnote 6 added.
    • Secion 4.15.2
      • Table "Validation Object Attributes"
        • CKA_VALIDATION_AUTHORITY, CKA_VALIDATION_CERTIFICATE_IDENTIFIER, CKA_VALIDATION_CERTIFICATE_URI, CKA_VALIDATION_VENDOR_URI and CKA_VALIDATION_PROFILE missing descriptions... we should pick up the descriptions from KMIP
        • In the table, all the entries have a footnote of '13' we should change it to '1' since we aren't using the standard footnotes, or create it's own footnote space. There is already a footnote 13 in the standard footnotes.

    Priv to pub key -

    • Looks fine, I'll mark it as reviewed.

    KEM mechanisms -

    • Looks fine, I'll mark it as reviewed.

    KEM API -

    • Section 3.5
      • Table "Mechanism Information Flags"
        • We include the mask value for all the flags except CKF_ENCAPSULATE and CKF_DECAPSULATE. We should either remove the mask field (which is defined in the header file) or add the values for CKF_ENCAPSULATE and CKF_DECAPSULATE:
          • pkcs11t.h:#define CKF_ENCAPSULATE        0x10000000UL
          • pkcs11t.h:#define CKF_DECAPSULATE        0x20000000UL

    PQ Signatures -

    • Section 5.1.6

      • CKR_PUBLIC_KEY_INVALID: has 'C_VerfiyInit or C_VerifyInitRecover' should now be 'C_VerifyInit, C_VerifySignatureInit or C_VerifyRecoverInit'.

    • Section 5.15.7
      • strike 'where the signature is an appendix to the data ' in the second paragraph.

    PQ Signature algorithms -

    • Section 6.69.6
      • change 'verifying hash ML-DSA signatures' to 'verifying pre-hash ML-DSA signatures'. The id's are 'hash-ML-DSA' and the spec has 'pre-hash'.
    • Section 6.69.7
      • remove 'Pre-hash' from the description.
    • Section 6.71.6
      • change 'verifying hash SLH-DSA signatures' to 'verifying pre-hash SLH-DSA signatures'. The id's are 'hash-SLH-DSA' and the spec has 'pre-hash'.
    • Section 6.71.7
      • remove 'Pre-hash' from the description.

    Trust Objects -

    • Section 4.7.2
      • Table "Trust Object Attributes"
        • CKA_SERIAL_NUMBER needs footnote 1.

    TLS 1.2 Extended Master Secret -

    • Looks fine, I'll mark it as reviewed.

    XMSS support -

    • Looks fine, I'll mark it as reviewed.







  • 2.  RE: Draft -07 review...

    Posted 12-19-2024 06:26

    Bob,

    I have fixed your findings in PKCS #11 specification v3.2 working draft 08. 

    In section 4.15.2 I have added descriptions for CKA_VALIDATION_AUTHORITY, CKA_VALIDATION_CERTIFICATE_IDENTIFIER, CKA_VALIDATION_CERTIFICATE_URI, CKA_VALIDATION_VENDOR_URI and CKA_VALIDATION_PROFILE. I have furthermore

    • added definitions for values for CKA_VALIDATION_TYPE and CKA_VALIDATION_AUTHORITY_TYPE
    • updated the description of CKA_VALIDATION_TYPE, i.e. removed "(BSI, FIPS-140, etc)" because this didn't fit with values CKV_TYPE_SOFTWARE, CKV_TYPE_HARDWARE etc.

    Wrt. Trust Objects

    When adding footnote 1 for CKA_SERIAL_NUMBER, I was wondering whether the addition "(default empty)" in meaning makes sense as CKA_SERIAL_NUMBER must be specified during object creation. Same applies to CKA_ISSUER. Or is there some other way to create a trust object than by C_CreateObject ?



    ------------------------------
    Best regards,
    Dieter
    ------------------------------

    Original Message


Related Content