April 15, 2015 Meeting Minutes
- Bob performed roll call, we have quorum. This will be an official meeting.
1 Opening remarks (co-chairs) 2 Roll call 3 Review / approval of the agenda 4 Review of previous meeting minutes (March 18, April 1) 5 Old Business
- V.40 items
- RSA Conference
- V2.41 items
- V3.0 Status Items
- Review outputs from NIST workshop
- Topics for next call
6 New Business 7 Review Action Items 8 Adjourn
- BobG: Dinner to be started at 6pm
Motion to accept agenda
- Tim moved, Mark J seconded. No objections or abstentions or discussions.
Approve Previous Meeting Minutes
March 18, 2015 - Tim moved, Jim S seconded. No objections or abstentions or discussions.
April 1, 2015 - Tim moved, Jim S seconded. No objections or abstentions or discussions.
- BobG: OASIS Ballots have closed – we have all the documents across the line.
- Valerie: spoken to OASIS folks and there is consensus that the process is repetitive and slow. OASIS are looking at ways to improve it. Need to leverage the wiki more.
- Tim: We could also look at some docs going to committee note rather than a full spec document – general agreement on that point.
- Valerie: Need a API to handle sunsetting of mechanisms, etc. General agreement on that point.
- BobG: PKCS11 was noted as a critical piece required for most of the items discussed at the NIST workshop but there was little understanding that P11 is still in active development
- BobG: Should look more at using the OASIS PKCS11 wiki for basic information repository on PKCS11 and related materials.
- Tony: Participants are all prepared. Some technical interoperability demonstrations going ahead in the background. KMIP and PKCS11 demos are intermingled and demonstrating interop between p11 and KMIP implementations.
- Bob G: should seek greater exposure of the OASIS interop and in fact of P11 and KMIP TC activities and OASIS marketing functions.
- Bob G: should look at posting on the wiki about relevant conference that we should be considering speaking at.
- GrahamS: suggests CHES conference in France in September, ASA conference in Verona in July (Graham can help with that event)
- BobG: Votes are complete – we’re done – a press release will follow soon
- BobG: Advocates that much of the content for 2.40 and versions going forward, should remain at committee draft and keep a minimum of items in the point release for full OASIS vote.
Secure Key Import Proposal
- Graham: Presented the proposal as uploaded to the reflector.
- Tim: We do need to raise the concept of a unique identifier and handle this as a separate item.
- Graham to consult with Tim to document the options here.
- GCM/CCM wrap/unwrap 2.1 unique ID, vendor identifiers 2.2 serialization of objects inc vendor specific extensions 2.3 attribute criticality - and/or safe PKCS#11 subset
Message-Based Encryption Functions
Bob R: Presented the proposal as uploaded to the reflector (https://www.oasis-open.org/apps/org/workgroup/pkcs11/download.php/53446/PKCS11MessageBasedEncryption20140624.pdf)
Dina: Suggested ditching V2 and putting message in the mech. – All agreed, so (CK_GCM_PARAMS_V2 -> CK_GCM_MESSAGE_PARAMS)
- Table of vendor-specific functions to be added with specific instructions to be included to warn that the table will be broken as the specification develops and we cherry-pick the appropriate content. Need to evaluate the list to see if it is a 2.41 or a 3.0 inclusion.
- Method for handling addition of new functions in v2.41 discussed. BobR to bring forward a proposal around a subset of previous discussions handling both the new v2.41 functions, the original v2.40 table and a vendor specific table.
- Mark P presented on AES/XTS – no proposal, based on email from Marko Nippula on 29/30 May 2014.
- Proposal being sought to support.
- Decision is to have a new key type.
- Dina raised a range of questions.
- Dina to draft topics for usage guide content in relation to her questions and these will appear in the list of items.
- CK_Destroyable in section 4.4 – addition of superscript for lockable and destroyable
- CKA_COPYABLE has opportunities for implementation divergence. Discussion. BobR to contribute to Usage Guide.
- Chris to modify CKA_COPYABLE and 11 against CKA_DESTROYABLE to contain superscript.
- Email received from Chet about header files
- Stef created a set of header files back in Sep
- Never fully reconciled with the final version of the specifications
- Valerie: Stef's work unclear if this is what they should be or what is in the spec. Should be what is in the standard. Pointer to known issues. Need final version.
- Tim: translating - want pristine v2.40 and errata v2.40 (that moves to v2.41).
Error codes & deprecation
- We need a proposal about some extended error codes and a method for deprecating items. – Valerie to make a start
- Tim: suggested CKR_prohibited_by_policy.
- Dina mentioned a lack of responses to questions posted to the list
- Suggestion of an interop subcommittee – Bob to think about it and bring a proposal in two weeks.
Direction of the PKCS11 TC
- BobG: Raised the issue of total lack of visibility of P11 and the fact it isn’t recognised despite wide deployment
Post quantum crypto workshop
- BobG: speaking with Burt K and have concerns about PKCS11 in a post quantum crypto environment
- signed code packages and bootstrapping/re-establishing trust after a compromise
- BobG: attending a post-quantum crypto RSA meeting on Sunday 19th. Described “SAFECrypto” proposal.
- BobG: Should we consider supporting hash based signatures and state within HSMs? Probably needs more than just a new mechanism
- Approach is to come up with a post-quantum crypto signature scheme such that we can securely handle changed, updated items once quantum crypto is an actual threat. This allows for a controlled path to channel the panic responses.
- Next call to be scheduled on 29 April 2015
- Bob G: to approach EMC/RSA to see if the historical PKCS Series documents can be brought out and hosted on the PKCS11 wiki.
- TonyC: Add a link to the main TC public page to known PKCS11 implementation page and ensure the page is updated at least once a quarter (update need only be simple)
- TonyC: Add a wiki page for “PKCS11 activities” for folks to blog to. Product announcements permitted in a defined format.
- GrahamS: add some of the more pertinent blog entries from the Cryptosense blog to the “PKCS11 activities page”
- BobG: reach out to CarolG @ OASIS to look into greater visibility of the RSA interop and related items.
- TonyC: look at posting relevant conferences and events on the wiki
- Dina: draft usage guide content in relation to her questions for review in 2 weeks
- BobG and BobR: to contribute to Usage Guide in relation to locking attributes to prevent modification.
- Dina: bring forward list of items.
- Chris: build errata list to note 12 against CKA_COPYABLE and 11 against CKA_DESTROYABLE.
- Chris: post the current header files into the document folder for review for 2.40.
- Dina: post the errata header files into the document folder for review for 2.40.
- MarkJ: Offered to assit in testing that the errata header file
- Dina: provide the working draft which is a continuation of Stef’s contribution and Oscar’s work.
- Valerie: take a first stab at a proposal to an expanded set of error codes and a method of signalling disable by policy.
- BobG: add matching text to usage guide
- BobG: provide a proposal at the meeting on the 29th regarding an interop subcommittee
BobR: look at how far https://tools.ietf.org/html/draft-mcgrew-hash-sigs-02 is away from being implementable.
- BobG: arrange a face to face meeting in September and invite Burt K and Dave McG to discuss how PKCS11 and vendors supporting it can ensure alignment with the hash-based signing etc.
- BobG: circulate the relevant links and to check with Bert about releasing some of the relevant slides.
- BobR: come back with the last piece of work from Wan-Teh's proposal
- Dieter: create 3.0 suggestion document, move 2.40 suggestions over into new 3.0 suggestion document. (not started, yet) (09042014.01)
- Tony: Move all action items into JIRA
- GrahamS: Develop proposal on secure key import and bring it forward to the group.
- MarkP: To bring forward a AES-XTS propsal
- Minutes for today's meeting were reviewed,, updated and agreed/accepted. Tim moves, BobR, seconds, no objections, abstentions or comments.
Motion to Adjourn
- Tim moved, BobR seconded. No objections or abstentions or discussions. Adjourned 15:59PM US-PST.