Re: [Uri-review] PKCS#11 URI registration request review

[Jan Pechanec <jan.pechanec@oracle.com>]

On Mon, 11 Feb 2013, Larry Masinter wrote:

>It's completely unclear to me what advantage you get from having this 
>stuff packed into a URI rather than some XML/JSON data structure, which 
>would more easily address the I18N and other issues. It seems like the 
>applicability of this "scheme" is to fit into a "URI" slot in some 
>protocol that doesn't need to be a URI but just some other kind of 
>Identifier.

	 hi, while we don't want to limit its use, the primary objective 
is to use it as a simple string-based user-defined public/private key or 
an X.509 certificate identifier directly used by an application 
supporting PKCS#11 tokens. I can see that Darren already gave an example 
of its use in ZFS crypto in his reply.

	to address the I18N concern, the PKCS#11 specification allows 
UTF8 in most of the fields used in the scheme so we must support it, and 
while it would be easier to deal with it in XML/JSON, experience shows 
that it's not much of a concern as plain ASCII is being used while users 
benefit from the simple string format.
	
	I expect that the most common use of the identifier will be as a 
parameter value on a command line. To give you an idea what applications 
(and libraries) have already adopted it and use it as defined in the 
draft, there is a list of those I know of:

GnuTLS
	- GNU Transport Layer Security Library
	- www.gnutls.org
Gnome
	- by gnome-keyring since version 3.3.5
	- http://developer.gnome.org/gck/3.6/gck-PKCS11-URIs.html
p11-kit
	- kit for unification of PKCS#11 modules
	- http://cgit.freedesktop.org/p11-glue/p11-kit
OpenSC
	- tools and libraries for smart cards
	- https://www.opensc-project.org/opensc
	- via p11-kit
Solaris 11
	- for referencing keys in ZFS filesystem encryption
	- SunSSH to reference keys/certs used in the X.509 based 
	  authentication
OpenConnect
	- client for Cisco's AnyConnect SSL VPN
	- http://www.infradead.org/openconnect/
	- via pk11-kit

	Google search shows other communities or projects discussing or 
planning to use the scheme:

Fedora
	https://fedoraproject.org/wiki/PackagingDrafts/PKCS11
GnuPG
	via GnuTLS
	
>I'm willing to believe there's a justification and that the document 
>just doesn't give it.

	please let me know if the explanation above answers the concerns 
you raised and whether you think I need to update the draft accordingly.

	regards, Jan.


>> -----Original Message-----
>> From: uri-review-bounces@ietf.org [mailto:uri-review-bounces@ietf.org] On
>> Behalf Of Jan Pechanec
>> Sent: Friday, February 08, 2013 5:29 PM
>> To: uri-review@ietf.org
>> Cc: Darren.Moffat@oracle.com
>> Subject: Re: [Uri-review] PKCS#11 URI registration request review
>> 
>> On Sat, 26 Jan 2013, Jan Pechanec wrote:
>> 
>> 	hi, the section 5.2 of RFC 4395 notes "Allow a reasonable time
>> for discussion and comments. Four weeks is reasonable for a permanent
>> registration requests."
>> 
>> 	I will wait for two more weeks if there is any feedback (which
>> would be greatly appreciated) to make it 4 weeks in total, and if there
>> is none I will continue with the next step, which is the submission to
>> iana@iana.org.
>> 
>> 	regards, Jan.
>> 
>> >	hello,
>> >
>> >	in accordance with section "5.2. Registration Procedures" of RFC
>> >4395 "Guidelines and Registration Procedures for New URI Schemes", I
>> >respectfully request a review for our planned permanent registration
>> >request of the PKCS#11 URI as specified in the following I-D:
>> >
>> >	http://tools.ietf.org/html/draft-pechanec-pkcs11uri-08 
>> >
>> >	the registration template is attached.
>> >
>> >	best regards, Jan Pechanec
>> >
>> >
>> 
>> --
>> Jan Pechanec
>> http://blogs.oracle.com/janp
>> _______________________________________________
>> Uri-review mailing list
>> Uri-review@ietf.org
>> https://www.ietf.org/mailman/listinfo/uri-review
>

-- 
Jan Pechanec <jan.pechanec@oracle.com>