PKCS11 Face-to-Face

When:  Feb 26, 2016 from 08:30 to 17:00 (PT)
Associated with  OASIS PKCS 11 TC
Description:

DRAFT AGENDA - Send Bob R and Valerie additional topics (including time needed)

all times PT


8:30AM->9:00AM Arrive, checkin on site

9:00AM -> 9:15AM Introductions

9:15AM->9:30AM Burt Kaliski, PKCS 25th Anniversary

9:30->9:45AM Update on PKCS#11 2.40 Errata, next steps

9:45->10AM Break

10AM Update from KMIP liason

10:15-> 11:30AM PKCS#11 2.41

  • New algorithms: SHA3, ChaCha, Poly
  • AES GCM IV - Can we abuse the parameter field?
  • NIST Key derivation function
  • Error code improvements (from Darren M)
  • EncryptCancel(), DigestCancel() ... which stops operation and cleans context. Now we have to simulate it with some kind of failure.
  • Extending C_GenerateRandom to specify RNG quality
  • Adding C_RenameToken, C_ChangeLabel, and/or C_ClearToken
  • CKA_UUID (or similar unique identifier attribute for objects). Right now, PKCS#11 objects can be hard to map into other protocols/keystore/databases (esp. KMIP) because there is no standard way to associate anything resembling a unique primary key with objects.
  • Others?

11:30 -> 11:45 Letter to CMVP/NIST

11:45->1PM Lunch

1PM -> 1:30PM Graham S.: Associating Attributes to Wrapped Keys

1:30PM -> 2:30 Bob R.: AEAD (Wan-Teh's 3.0 work)

2:30 -> 2:45 PM Break

2:45 -> 3:00 Interop update

Motion to participate in 2017 Interop at RSA Feb 2017.

3:00 -> 4:30 PKCS#11 3.00 topics (please let Valerie/Bob know)

  • Application/library context - C_Inititlize returns context and C_Finalize cleans only the sessions, objects and other related to the context or all library if context is not passed. Now we cannot calls C_Finalize in shared libraries (may just be an OS issue).
  • Adding multiple user support to C_Login to also take a user name
  • and call back mechanism
  • Forking: Remove fork behaviour from standard, perfectly acceptable to work in the child.
  • Map KMIP attributes to PKCS#11 object lifecycle attributes and enforcement. This includes new (different) error codes for attempts to use objects before/after it's valid to use them for the desired purpose. (example: should C_Encrypt() fail if the key passed is beyond its Protect Stop Date?)


4:30 -> 5:00 Set next meeting date , adjourn



==========
Agenda:

==========
Minutes:

==========
Attendance:
Meeting Statistics
Quorum rule 51% of voting members
Achieved quorum yes
Individual Attendance Contributing Members: 15 of 57 (26%)
Voting Members: 9 of 13 (69%) (used for quorum calculation)
Company Attendance Contributing Companies: 9 of 22 (40%)
Voting Companies: 4 of 4 (100%)