Re: PKCS#11 URI slot attributes & last call

Nikos Mavrogiannopoulos <> Thu, 18 December 2014 11:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E01061A6FD1; Thu, 18 Dec 2014 03:06:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fUSMuy-St1GH; Thu, 18 Dec 2014 03:06:39 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C70C61A6FBC; Thu, 18 Dec 2014 03:06:38 -0800 (PST)
Received: by with SMTP id x12so1266573wgg.25; Thu, 18 Dec 2014 03:06:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=sender:message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=bSp1vRqj+AQZLBJMSS9lbWmW29h3FxmtcPxoe42Hm2Q=; b=VaBkWKgq6E0K2HVMCj6jEGsBBo+UUtOb1/Kb8iFaIHrurfoow/Q48vwGb2fE7zkwxj BzuvsrPFwIFGvDalISHbcinebpqdAe1QHIwf/XHMNmGF8s4kotu7LcRK9HewA5i6KB3m zhMQoov1odTAJXp7veQRVG0Ef+0Lw3vRyfVIr1CE7vk6GS7O/r05uEKRqPToN3ZMf9qn RAFSUGgXfIob6r8e/FJhUZM7MH12OcEHQjQrlGSRB2FlRA1CEUwXHhMFYhI5I/XRnmvh Q4m4WozbZFzs8rd3ssQAgxxICnnPOHXrArO+0QW/8BCwyiAyll2pcTK2XBPM8+sXtBWh ZXdQ==
X-Received: by with SMTP id x11mr3016798wju.131.1418900796782; Thu, 18 Dec 2014 03:06:36 -0800 (PST)
Received: from aspire.lan ( []) by with ESMTPSA id p1sm8510343wjy.22.2014. (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Dec 2014 03:06:35 -0800 (PST)
Sender: Nikos Mavrogiannopoulos <>
Message-ID: <>
Subject: Re: PKCS#11 URI slot attributes & last call
From: Nikos Mavrogiannopoulos <>
To: Jan Pechanec <>
Date: Thu, 18 Dec 2014 13:06:32 +0200
In-Reply-To: <alpine.GSO.2.00.1412172154150.14405@rejewski>
References: <alpine.GSO.2.00.1412161359100.4549@keflavik> <> <20141217230150.GB9443@localhost> <> <20141218000736.GL9443@localhost> <alpine.GSO.2.00.1412171614240.4549@keflavik> <> <20141218004717.GN9443@localhost> <alpine.GSO.2.00.1412171704530.4549@keflavik> <20141218012300.GP9443@localhost> <alpine.GSO.2.00.1412172154150.14405@rejewski>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.8 (3.12.8-1.fc21)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: Darren J Moffat <>, Stef Walter <>, Jaroslav Imrich <>,,
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Dec 2014 11:06:52 -0000

On Wed, 2014-12-17 at 22:54 -0800, Jan Pechanec wrote:

> +   Slot ID is a Cryptoki-assigned number that is not guaranteed stable
> +   across PKCS#11 module initializations.  However, slot description and
> +   manufacturer ID may not be enough to uniquely identify a specific
> +   reader.  In situations where slot information is necessary use of
> +   "slot-id" attribute may be justified if sufficient slot ID stability
> +   is provided in the PKCS#11 provider itself or externaly.

Hello Jan,
I'd like to propose the following text instead:
"Slot ID is a Cryptoki-assigned number that is not guaranteed stable
across PKCS#11 module initializations. However, there are certain
libraries and modules which provide stable slot numbers and
descriptions. For these cases, when the manufacturer ID is not
sufficient to uniquely identify a specific reader, the slot
information could be used to increase the precision of the token
identification. In other scenarios, using the slot identifiers is
likely to cause usability issues."

That text discusses both the benefits and the risks.