Re: PKCS#11 URI slot attributes & last call

Jan Pechanec <jan.pechanec@oracle.com> Thu, 18 December 2014 06:58 UTC

Return-Path: <jan.pechanec@oracle.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF3A01A1EF3; Wed, 17 Dec 2014 22:58:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.21
X-Spam-Level:
X-Spam-Status: No, score=-6.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfsyVGUpMV5U; Wed, 17 Dec 2014 22:58:31 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BB9D1A0058; Wed, 17 Dec 2014 22:58:31 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBI6wPCl019678 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Dec 2014 06:58:26 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBI6wOnh015257 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 18 Dec 2014 06:58:25 GMT
Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBI6wN2Z021767; Thu, 18 Dec 2014 06:58:23 GMT
Received: from rejewski.us.oracle.com (/10.132.148.23) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 22:58:23 -0800
Date: Wed, 17 Dec 2014 22:54:25 -0800 (PST)
From: Jan Pechanec <jan.pechanec@oracle.com>
X-X-Sender: jpechane@rejewski
To: Jaroslav Imrich <jaroslav.imrich@gmail.com>, Stef Walter <stef@thewalter.net>, Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>, Darren J Moffat <Darren.Moffat@oracle.com>, Nico Williams <nico@cryptonector.com>
Subject: Re: PKCS#11 URI slot attributes & last call
In-Reply-To: <20141218012300.GP9443@localhost>
Message-ID: <alpine.GSO.2.00.1412172154150.14405@rejewski>
References: <alpine.GSO.2.00.1412161359100.4549@keflavik> <CAB6OCMvGxT99cGGBSBbz=XU2+F1xRzBa97z6dY-qPSJk1GWXyQ@mail.gmail.com> <20141217230150.GB9443@localhost> <CAB6OCMvkPSfNYqftAgbcN5KrG7kxb5ooico205O6EffcsU8SwQ@mail.gmail.com> <20141218000736.GL9443@localhost> <alpine.GSO.2.00.1412171614240.4549@keflavik> <CAB6OCMsAdTarz5XBHgTnU=v9qweS5B6mk-tb7Gbf7kwkDFBDMg@mail.gmail.com> <20141218004717.GN9443@localhost> <alpine.GSO.2.00.1412171704530.4549@keflavik> <20141218012300.GP9443@localhost>
User-Agent: Alpine 2.00 (GSO 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-752095483-1418885666=:14405"
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/FZcMGPmYKyniQdIRWAZOp9yNkv4
X-Mailman-Approved-At: Thu, 18 Dec 2014 08:24:57 -0800
Cc: saag@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2014 06:58:40 -0000

On Wed, 17 Dec 2014, Nico Williams wrote:

>> 	I will draft new text including the slot-id attribute first 
>> and send it here but will not file it yet.

	hi, as Nikos mentioned yesterday, we discussed slot attributes 
in the past.  It was in Nov 2010 and I forgot about it.  It was a long 
discussion, 20+ emails, and I think the following summarizes it:

	- slot ID is unstable so its use is limited or even dangerous
	- slot description might be ok but it would still be better to 
choose slot simply via a number if needed (ie. not via URI)
	- exiting attributes are enough to identify what we need

	after giving it significant time thinking about it today I'd 
still add attributes for token description, manufacturer, and ID for 
this reasons:

	(1) as in pam_pkcs11 case, there will be scenarios where slot 
information will be needed.  It would be nice if it could be provided 
via a PKCS#11 URI when we can do that for objects, tokens, libraries 
and even PKCS#11 module paths.

	(2) neither slot description nor manufacturer is enough to 
uniquely identify a slot and it does not have serial number as a 
token.  While generally unstable, slot-id may be the only way to 
uniquely identify a slot.  If stability is provided either in the 
module or externally, its use may be justified in such scenarios.

	(3) if we do not add slot attributes people will keep asking 
about it

	I drafted new text so that we can see how it would look.  I 
think we should either add all 3 slot-* attributes or none.  The draft 
is attached and the diff as well.  There were more necessary changes 
but it basically comes to this:

@@ -216,10 +218,13 @@
   pk11-type            = "type" "=" *1("public" / "private" / "cert" /
                          "secret-key" / "data")
   pk11-id              = "id" "=" *pk11-pchar
+  pk11-slot-desc       = "slot-description" "=" *pk11-pchar
+  pk11-slot-id         = "slot-id" "=" 1*DIGIT
+  pk11-slot-manuf      = "slot-manufacturer" "=" *pk11-pchar
   pk11-pin-source      = "pin-source" "=" *pk11-qchar
   pk11-pin-value       = "pin-value" "=" *pk11-qchar

@@ -292,6 +298,20 @@
    |                      | the token           | CK_TOKEN_INFO        |
    |                      |                     | structure            |
    +----------------------+---------------------+----------------------+
+   | slot-description     | slot description    | "slotDescription"    |
+   |                      |                     | member of            |
+   |                      |                     | CK_SLOT_INFO         |
+   |                      |                     | structure            |
+   +----------------------+---------------------+----------------------+
+   | slot-id              | Cryptoki-assigned   | decimal number of    |
+   |                      | value that          | "CK_SLOT_ID" type    |
+   |                      | identifies a slot   |                      |
+   +----------------------+---------------------+----------------------+
+   | slot-manufacturer    | ID of the slot      | "manufacturerID"     |
+   |                      | manufacturer        | member of            |
+   |                      |                     | CK_SLOT_INFO         |
+   |                      |                     | structure            |
+   +----------------------+---------------------+----------------------+
    | token                | application-defined | "label" member of    |

@@ -332,6 +352,13 @@
    version number is mandatory.  Both "M" and "N" must be decimal
    numbers.

+   Slot ID is a Cryptoki-assigned number that is not guaranteed stable
+   across PKCS#11 module initializations.  However, slot description and
+   manufacturer ID may not be enough to uniquely identify a specific
+   reader.  In situations where slot information is necessary use of
+   "slot-id" attribute may be justified if sufficient slot ID stability
+   is provided in the PKCS#11 provider itself or externaly.

    An empty PKCS#11 URI path attribute that does allow for an empty

@@ -506,6 +534,10 @@
       minor version.  Resulting minor and major version numbers must be
       then separately compared numerically.

+   o  value of attribute "slot-id" must be processed as a specific
+      scheme-based normalization permitted by Section 6.2.3 of [RFC3986]
+      and compared numerically.
+

@@ -602,6 +634,12 @@
             manufacturer=Snake%20Oil,%20Inc.
             ?pin-value=the-pin

+   In the context where a slot is expected the slot can be identified
+   without specifying any PKCS#11 objects in any token it may be
+   inserted in it.
+
+     pkcs11:slot-description=Sun%20Metaslot
+


	I really appreciate time you already spent reviewing this ID 
and I'm not happy to do such last minute changes.  I hope this last 
one would be worth it.

	regards, Jan.

-- 
Jan Pechanec <jan.pechanec@oracle.com>