--- draft-pechanec-pkcs11uri-16.txt-no-linebreaks 2014-12-17 22:22:24.000000000 -0800 +++ draft-pechanec-pkcs11uri-17.txt-no-linebreaks 2014-12-17 22:41:51.000000000 -0800 @@ -5,20 +5,19 @@ Network Working Group J. Pechanec Internet-Draft D. Moffat Intended status: Standards Track Oracle Corporation -Expires: April 16, 2015 October 13, 2014 +Expires: June 20, 2015 December 17, 2014 The PKCS#11 URI Scheme - draft-pechanec-pkcs11uri-16 + draft-pechanec-pkcs11uri-17 Abstract This memo specifies a PKCS#11 Uniform Resource Identifier (URI) - Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, for - identifying PKCS#11 tokens themselves, or for identifying PKCS#11 - libraries. The URI is based on how PKCS#11 objects, tokens, and - libraries are identified in the PKCS#11 Cryptographic Token Interface - Standard. + Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, and + also for identifying PKCS#11 tokens, slots or libraries. The URI is + based on how PKCS#11 objects, tokens, slots, and libraries are + identified in the PKCS#11 Cryptographic Token Interface Standard. Status of This Memo @@ -35,7 +34,7 @@ time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 16, 2015. + This Internet-Draft will expire on June 20, 2015. Copyright Notice @@ -64,12 +63,12 @@ 3.5. PKCS#11 URI Matching Guidelines . . . . . . . . . . . . . 10 3.6. PKCS#11 URI Comparison . . . . . . . . . . . . . . . . . 11 4. Examples of PKCS#11 URIs . . . . . . . . . . . . . . . . . . 12 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 15 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 - 7.1. Normative References . . . . . . . . . . . . . . . . . . 15 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 16 7.2. Informative References . . . . . . . . . . . . . . . . . 16 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 1. Introduction @@ -86,40 +85,42 @@ It is desirable for applications or libraries that work with PKCS#11 tokens to accept a common identifier that consumers could use to identify an existing PKCS#11 storage object in a PKCS#11 token, an - existing token itself, or an existing Cryptoki library (also called a - producer, module, or provider). The set of storage object types that - can be stored in a PKCS#11 token includes a certificate, a public, - private or secret key, and a data object. These objects can be - uniquely identifiable via the PKCS#11 URI scheme defined in this + existing token itself, a slot, or an existing Cryptoki library (also + called a producer, module, or provider). The set of storage object + types that can be stored in a PKCS#11 token includes a certificate, a + public, private or secret key, and a data object. These objects can + be uniquely identifiable via the PKCS#11 URI scheme defined in this document. The set of attributes describing a storage object can contain an object label, its type, and its ID. The set of attributes - that identifies a PKCS#11 token can contain a token label, a - manufacturer name, a serial number, and a token model. Attributes - that can identify a Cryptoki library are a library manufacturer, a - library description, and a library version. Library attributes may - be necessary to use if more than one Cryptoki library provides a - token and/or PKCS#11 objects of the same name. A set of query - attributes is provided as well. + that identifies a PKCS#11 token can contain a token label, + manufacturer name, serial number, and token model. Attributes that + can identify a slot are a slot ID, description, and manufacturer. + Attributes that can identify a Cryptoki library are a library + manufacturer, description, and version. Library attributes may be + necessary to use if more than one Cryptoki library provides a token + and/or PKCS#11 objects of the same name. A set of query attributes + is provided as well. The PKCS#11 URI cannot identify other objects defined in the specification [pkcs11_spec] aside from storage objects. For example, objects not identifiable by a PKCS#11 URI include a hardware feature and mechanism. Note that a Cryptoki library does not have to provide for storage objects at all. The URI can still be used to identify a - specific PKCS#11 token or an API producer in such a case. + specific PKCS#11 token, slot or an API producer in such a case. A subset of existing PKCS#11 structure members and object attributes was chosen believed to be sufficient in uniquely identifying a - PKCS#11 token, storage object, or library in a configuration file, on - a command line, or in a configuration property of something else. - Should there be a need for a more complex information exchange on - PKCS#11 entities a different means of data marshalling should be + PKCS#11 storage object, token, slot, or library in a configuration + file, on a command line, or in a configuration property of something + else. Should there be a need for a more complex information exchange + on PKCS#11 entities a different means of data marshalling should be chosen accordingly. A PKCS#11 URI is not intended to be used to create new PKCS#11 objects in tokens, or to create PKCS#11 tokens. It is solely to be - used to identify and work with existing storage objects and tokens - through the PKCS#11 API, or identify Cryptoki libraries themselves. + used to identify and work with existing storage objects, tokens, and + slots through the PKCS#11 API, or identify Cryptoki libraries + themselves. The URI scheme defined in this document is designed specifically with a mapping to the PKCS#11 API in mind. The URI uses the scheme, path @@ -188,7 +189,8 @@ pk11-model / pk11-lib-manuf / pk11-lib-ver / pk11-lib-desc / pk11-object / pk11-type / pk11-id / - pk11-x-pattr + pk11-slot-desc / pk11-slot-manuf / + pk11-slot-id / pk11-x-pattr ; Query component and its attributes. Query may be empty. pk11-qattr = pk11-pin-source / pk11-pin-value / pk11-module-name / pk11-module-path / @@ -216,10 +218,13 @@ pk11-type = "type" "=" *1("public" / "private" / "cert" / "secret-key" / "data") pk11-id = "id" "=" *pk11-pchar + pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar + pk11-slot-desc = "slot-description" "=" *pk11-pchar + pk11-slot-id = "slot-id" "=" 1*DIGIT pk11-pin-source = "pin-source" "=" *pk11-qchar pk11-pin-value = "pin-value" "=" *pk11-qchar - pk11-module-name = "module-name" = *pk11-qchar - pk11-module-path = "module-path" = *pk11-qchar + pk11-module-name = "module-name" "=" *pk11-qchar + pk11-module-path = "module-path" "=" *pk11-qchar pk11-x-attr-nm-char = ALPHA / DIGIT / "-" / "_" ; Permitted value of a vendor specific attribute is based on ; whether the attribute is used in the path or in the query. @@ -259,6 +264,7 @@ | | | PKCS#11 | | | | specification to | +----------------------+---------------------+----------------------+ + | | | | +----------------------+---------------------+----------------------+ | id | key identifier for | "CKA_ID" object | | | object | attribute | @@ -292,6 +298,20 @@ | | the token | CK_TOKEN_INFO | | | | structure | +----------------------+---------------------+----------------------+ + | slot-description | slot description | "slotDescription" | + | | | member of | + | | | CK_SLOT_INFO | + | | | structure | + +----------------------+---------------------+----------------------+ + | slot-id | Cryptoki-assigned | decimal number of | + | | value that | "CK_SLOT_ID" type | + | | identifies a slot | | + +----------------------+---------------------+----------------------+ + | slot-manufacturer | ID of the slot | "manufacturerID" | + | | manufacturer | member of | + | | | CK_SLOT_INFO | + | | | structure | + +----------------------+---------------------+----------------------+ | token | application-defined | "label" member of | | | label, assigned | the CK_TOKEN_INFO | | | during token | structure | @@ -332,6 +352,13 @@ version number is mandatory. Both "M" and "N" must be decimal numbers. + Slot ID is Cryptoki-assigned number that is not guaranteed stable + across PKCS#11 module initializations. However, slot description and + manufacturer ID may not be enough to uniquely identify a specific + reader. In situations where slot information is necessary use of + "slot-id" attribute may be justified if sufficient slot ID stability + is provided in the PKCS#11 provider itself or externaly. + An empty PKCS#11 URI path attribute that does allow for an empty value matches a corresponding structure member or an object attribute with an empty value. Note that according to the PKCS#11 @@ -421,8 +448,8 @@ 3.5. PKCS#11 URI Matching Guidelines - The PKCS#11 URI can identify PKCS#11 storage objects, tokens, or - Cryptoki libraries. Note that since a URI may identify three + The PKCS#11 URI can identify PKCS#11 storage objects, tokens, slots, + or Cryptoki libraries. Note that since a URI may identify three different types of entities the context within which the URI is used may be needed to determine the type. For example, a URI with only library attributes may either represent all objects in all tokens in @@ -434,7 +461,7 @@ resource. o the consumer must know whether the URI is to identify PKCS#11 - storage object(s), token(s), or Cryptoki producer(s). + storage object(s), token(s), slot(s), or Cryptoki producer(s). o if the consumer is willing to accept query component module attributes only those PKCS#11 providers matching these attributes @@ -488,11 +515,12 @@ o values of path component attributes "library-description", "library-manufacturer", "manufacturer", "model", "object", - "serial", "token", "type", and query component attribute "module- - name" must be compared using a simple string comparison as - specified in Section 6.2.1 of [RFC3986] after the case and the - percent-encoding normalization are both applied as specified in - Section 6.2.2 of [RFC3986]. + "serial", "slot-description", "slot-manufacturer", "token", + "type", and query component attribute "module-name" must be + compared using a simple string comparison as specified in + Section 6.2.1 of [RFC3986] after the case and the percent-encoding + normalization are both applied as specified in Section 6.2.2 of + [RFC3986]. o value of attribute "id" must be compared using the simple string comparison after all bytes are percent-encoded using uppercase @@ -506,6 +534,10 @@ minor version. Resulting minor and major version numbers must be then separately compared numerically. + o value of attribute "slot-id" must be processed as a specific + scheme-based normalization permitted by Section 6.2.3 of [RFC3986] + and compared numerically. + o value of "pin-source", if deemed containing the filename with the PIN value, must be compared using the simple string comparison after the full syntax based normalization as specified in @@ -527,12 +559,12 @@ 4. Examples of PKCS#11 URIs This section contains some examples of how PKCS#11 token objects, - PKCS#11 tokens, and PKCS#11 libraries can be identified using the - PKCS#11 URI scheme. Note that in some of the following examples, - newlines and spaces were inserted for better readability. As - specified in Appendix C of [RFC3986], whitespace should be ignored - when extracting the URI. Also note that all spaces as part of the - URI are percent-encoded, as specified in Appendix A of [RFC3986]. + tokens, slots, and libraries can be identified using the PKCS#11 URI + scheme. Note that in some of the following examples, newlines and + spaces were inserted for better readability. As specified in + Appendix C of [RFC3986], whitespace should be ignored when extracting + the URI. Also note that all spaces as part of the URI are percent- + encoded, as specified in Appendix A of [RFC3986]. An empty PKCS#11 URI might be useful to PKCS#11 consumers. See Section 3.5 for more information on semantics of such a URI. @@ -602,6 +634,12 @@ manufacturer=Snake%20Oil,%20Inc. ?pin-value=the-pin + In the context where a slot is expected the slot can be identified + without specifying any PKCS#11 objects in any token it may be + inserted in it. + + pkcs11:slot-description=Sun%20Metaslot + The Cryptoki library alone can be also identified without specifying a PKCS#11 token or object. @@ -668,7 +706,7 @@ From those security considerations, Section 7.1 of [RFC3986] applies since there is no guarantee that the same PKCS#11 URI will always - identify the same object, token, or a library in the future. + identify the same object, token, slot, or a library in the future. Section 7.2 of [RFC3986] applies since by accepting query component attributes "module-name" or "module-path" the consumer potentially