Re: PKCS#11 URI slot attributes & last call

Jan Pechanec <jan.pechanec@oracle.com> Wed, 17 December 2014 23:53 UTC

Return-Path: <jan.pechanec@oracle.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540FE1A0084; Wed, 17 Dec 2014 15:53:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uin1yjicJOPX; Wed, 17 Dec 2014 15:52:58 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B91741A007A; Wed, 17 Dec 2014 15:52:58 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBHNqruY013545 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 17 Dec 2014 23:52:54 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBHNqqCS023988 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 17 Dec 2014 23:52:53 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBHNqqGm023981; Wed, 17 Dec 2014 23:52:52 GMT
Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Dec 2014 15:52:51 -0800
Date: Wed, 17 Dec 2014 15:52:50 -0800
From: Jan Pechanec <jan.pechanec@oracle.com>
X-X-Sender: jpechane@keflavik
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Subject: Re: PKCS#11 URI slot attributes & last call
In-Reply-To: <1418809054.2100.9.camel@gnutls.org>
Message-ID: <alpine.GSO.2.00.1412171537500.4549@keflavik>
References: <alpine.GSO.2.00.1412161359100.4549@keflavik> <1418771511.2106.7.camel@gnutls.org> <20141216234252.GN3241@localhost> <1418809054.2100.9.camel@gnutls.org>
User-Agent: Alpine 2.00 (GSO 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/FdWx4Hh5pUWzbGlAo6OGeTjGKhI
X-Mailman-Approved-At: Thu, 18 Dec 2014 08:24:59 -0800
Cc: Darren.Moffat@oracle.com, Stef Walter <stef@thewalter.net>, Jaroslav Imrich <jaroslav.imrich@gmail.com>, ietf@ietf.org, saag@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 23:53:00 -0000

On Wed, 17 Dec 2014, Nikos Mavrogiannopoulos wrote:

>On Tue, 2014-12-16 at 17:42 -0600, Nico Williams wrote:
>> The rationale is this:
>>  - you may have a PKCS#11 library with various slots, and you may have
>>    builtin tokens as well as removable tokens, and...
>
>Correct.
>
>>  - you need to intelligently pick one at logon time so you don't prompt
>>    the user for PIN entry for tokens they don't have access to (e.g.,
>>    the TPM), just the one smartcard they plugged in.
>
>Correct.
>
>> PKCS#11 is pretty lousy at this, and all we have to match on are the
>> various slot and token attributes.
>> There are tokens that won't let you list public objects without PIN
>> entry.  And there are tokens where incorrect PIN entry can lead to
>> logout.  And PAM has limits as to what it can do in terms of
>> intelligently prompting a user for a slot/token/object.
>
>I don't follow how the above require the slots to be known in order to
>figure where the object is. In gnutls we handle all of these use cases,
>and we don't need to know the slot at all. First you iterate all slots
>searching for the object, and then you login and search again. How would
>knowing the slot would have helped that?

	hi Nikos, if I expect a token to be inserted with some key 
(rather then identifying the key to use) then specifying the slot 
where such token is to be found seems useful to me.  If I understand 
it correctly, that's how pam_pkcs11 works.  It has two configuration 
options for this - slot description and slot ID.

	I know that the slot ID is cryptoki module specific.  It would 
have been nice if the specification supported token serial number as 
it does for tokens.

	also, the PKCS#11 URI can be used to identify PKCS#11 objects, 
tokens, and libraries.  I think that adding attributes to add the last 
major element, a token, is a good idea.

	the updated text would have to provide information about 
general unreliability using the slot ID, for example.

	Jan.

-- 
Jan Pechanec <jan.pechanec@oracle.com>