Re: PKCS#11 URI slot attributes & last call

Jan Pechanec <jan.pechanec@oracle.com> Fri, 19 December 2014 19:03 UTC

Return-Path: <jan.pechanec@oracle.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 675211A87BE; Fri, 19 Dec 2014 11:03:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AUwtiw0LRRoJ; Fri, 19 Dec 2014 11:02:57 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 198AC1ACCE4; Fri, 19 Dec 2014 11:02:57 -0800 (PST)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sBJJ2q7V007266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 19 Dec 2014 19:02:53 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBJJ2pvC017218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 19 Dec 2014 19:02:51 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sBJJ2oAA017161; Fri, 19 Dec 2014 19:02:50 GMT
Received: from keflavik.us.oracle.com (/10.132.148.214) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 19 Dec 2014 11:02:49 -0800
Date: Fri, 19 Dec 2014 11:02:48 -0800 (PST)
From: Jan Pechanec <jan.pechanec@oracle.com>
X-X-Sender: jpechane@keflavik
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Subject: Re: PKCS#11 URI slot attributes & last call
In-Reply-To: <1418900792.7577.5.camel@gnutls.org>
Message-ID: <alpine.GSO.2.00.1412191051540.4549@keflavik>
References: <alpine.GSO.2.00.1412161359100.4549@keflavik> <CAB6OCMvGxT99cGGBSBbz=XU2+F1xRzBa97z6dY-qPSJk1GWXyQ@mail.gmail.com> <20141217230150.GB9443@localhost> <CAB6OCMvkPSfNYqftAgbcN5KrG7kxb5ooico205O6EffcsU8SwQ@mail.gmail.com> <20141218000736.GL9443@localhost> <alpine.GSO.2.00.1412171614240.4549@keflavik> <CAB6OCMsAdTarz5XBHgTnU=v9qweS5B6mk-tb7Gbf7kwkDFBDMg@mail.gmail.com> <20141218004717.GN9443@localhost> <alpine.GSO.2.00.1412171704530.4549@keflavik> <20141218012300.GP9443@localhost> <alpine.GSO.2.00.1412172154150.14405@rejewski> <1418900792.7577.5.camel@gnutls.org>
User-Agent: Alpine 2.00 (GSO 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-25426126-1419015769=:4549"
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/UXAxpsRJ_p7xz3KxYvUGaLrrbhc
X-Mailman-Approved-At: Mon, 22 Dec 2014 07:59:55 -0800
Cc: Darren J Moffat <Darren.Moffat@oracle.com>, Stef Walter <stef@thewalter.net>, Jaroslav Imrich <jaroslav.imrich@gmail.com>, ietf@ietf.org, saag@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2014 19:03:09 -0000

On Thu, 18 Dec 2014, Nikos Mavrogiannopoulos wrote:

>On Wed, 2014-12-17 at 22:54 -0800, Jan Pechanec wrote:
>
>> +   Slot ID is a Cryptoki-assigned number that is not guaranteed stable
>> +   across PKCS#11 module initializations.  However, slot description and
>> +   manufacturer ID may not be enough to uniquely identify a specific
>> +   reader.  In situations where slot information is necessary use of
>> +   "slot-id" attribute may be justified if sufficient slot ID stability
>> +   is provided in the PKCS#11 provider itself or externaly.
>
>Hello Jan,
>I'd like to propose the following text instead:
>"Slot ID is a Cryptoki-assigned number that is not guaranteed stable
>across PKCS#11 module initializations. However, there are certain
>libraries and modules which provide stable slot numbers and
>descriptions. For these cases, when the manufacturer ID is not
>sufficient to uniquely identify a specific reader, the slot
>information could be used to increase the precision of the token
>identification. In other scenarios, using the slot identifiers is
>likely to cause usability issues."
>
>That text discusses both the benefits and the risks.

	hi Nikos, thank you, I like that it is more explicit.  I made 
a minor modification since it could be implied that a slot description 
might have a different stability level than a slot manufacturer ID.

-   Slot ID is Cryptoki-assigned number that is not guaranteed stable
-   across PKCS#11 module initializations.  However, slot description and
-   manufacturer ID may not be enough to uniquely identify a specific
-   reader.  In situations where slot information is necessary use of
-   "slot-id" attribute may be justified if sufficient slot ID stability
-   is provided in the PKCS#11 provider itself or externaly.
+   Slot ID is a Cryptoki-assigned number that is not guaranteed stable
+   across PKCS#11 module initializations.  However, there are certain
+   libraries and modules which provide stable slot identifiers.  For
+   these cases, when the slot description and manufacturer ID is not
+   sufficient to uniquely identify a specific reader, the slot ID could
+   be used to increase the precision of the token identification.  In
+   other scenarios, using slot IDs is likely to cause usability
+   issues.

	attached is draft-pechanec-pkcs11uri-17-v2.txt

	there will more versions as I'm gonna address more comments 
that came in during the last call.

	regards, Jan.

-- 
Jan Pechanec <jan.pechanec@oracle.com>