> All feedback except "Section 5.5, item 8.c.i. (line 629): Should the
> matching private key really be found via C_FindObjects without a
> login? Shouldn't it be with login?" applied.
>
> I checked with the original proposal and it has always been that way -
> but I've also sent Bob a separate note to confirm.
>
The document's text is correct. Most tokens require a login before
finding private keys. In order for a token to apply to this policy, it
must be possible to determine that the cert has a valid key *without*
logging into the token. The token can meet this criteria by meeting
either 8.c.i or 8.c.ii (c says one or more of the following).
What this profile allows is your token can be plugged into to
thunderbird or firefox and they will not prompt for your token's
password until they actually need to use your token. Otherwise they will
need to login to determine if your token has any relevant certs to use
in S/MIME or client auth whenever the user need to use *any* of these certs.
bob
Original Message:
Sent: 7/31/2024 5:02:00 PM
From: Tim Hudson
Subject: RE: pkcs11-profiles-v3.2-wd02.docx uploaded
All feedback except "Section 5.5, item 8.c.i. (line 629): Should the matching private key really be found via C_FindObjects without a login? Shouldn't it be with login?" applied.
I checked with the original proposal and it has always been that way - but I've also sent Bob a separate note to confirm.
All other changes applied and wd03 uploaded with change tracking relative to wd02.
Tim.
Original Message:
Sent: 7/24/2024 6:05:00 AM
From: Dieter Bong
Subject: RE: pkcs11-profiles-v3.2-wd02.docx uploaded
Tim,
I have reviewed the updates in Profiles document version 3.2 working draft 02. They all look good to me.
Unfortunately, I noticed multiple issues that we missed to notice in previous versions of the Profiles document, i.e. in Profiles version 3.2 working draft 01 or even in Profiles version 3.1:
- Sections 5.1.1.1, 5.3.1.1, 5.4.1.1 and 5.5.1.1: change headline from "...-31" to "...-32"; change references to testcases from "test-cases/pkcs11-v3.1/...31.xml" to "test-cases/pkcs11-v3.2/...32.xml"
- Section 5.2, bullet 4 should mention "a. CKO_PROFILE with value CKP_COMPLETE_PROVIDER"
- Due to the introduction of section 3 Conformance Test Cases and section 4 XML Representation, the former section 3 with profile definitions became section 5. This affects the following references:
- in sections 5.3, 5.4, 5.5, 5.6 replace "Section 3.3" by "Section 5.1"
- in sections 5.4, 5.5, 5.6 replace "Section 3.2" by "Section 5.7"
- Section 5.5, item 8.c.i. (line 629): Should the matching private key really be found via C_FindObjects without a login? Shouldn't it be with login?
- Section 5.6, item 7.a.: replace CKA_KEY_LENGTH by CKA_VALUE_LEN (4 times), and possibly adjust the format of list items 1. and 2. to the format as used in section 5.5 item 8.c. items i. and ii.
- Section 5.7: item 5 states that the consumer must support the functions "C_GetFunctionList or C_GetInterfaceList and C_GetInterface ". When supporting C_GetInterfaceList and C_GetInterface, then it must also support the data type CK_INTERFACE. Should CK_INTERFACE thus be listed in item 2 data types? Possibly as conditional "if C_GetInterfaceList and C_GetInterface are supported"?
- Section 6.1: replace reference 5.75.1 by 5.1
- Section 6.2: replace reference 5.75.2 by 5.2
Although mostly editorial, this all results in quite some changes :-) Sorry for that.
Thanks,
Dieter
------------------------------
Dieter Bong
Manager Standardization and Strategic Projects
Utimaco IS GmbH
------------------------------
Original Message:
Sent: 07-17-2024 07:13
From: Tim Hudson
Subject: pkcs11-profiles-v3.2-wd02.docx uploaded
---------------------------------
Tim Hudson
CTO
Cryptsoft Pty Ltd.
Fairfield Gardens QLD
---------------------------------