August 13, 2014 Meeting Minutes
- Bob performed roll call, we have quorum. This will be an official meeting.
1 Opening remarks (co-chairs)
2 Roll call
3 Review / approval of the agenda
4 Review of previous meeting minutes
5 Old Business
- Status of V2.40 second public review
- Statements of Use
- v3.0 topics
- How to get new mechanisms out faster than v3.0 (AES-XTS, possibly others)
- Topics for next call
6 New Business
7 Review Action Items
Motion to accept agenda
Approve Previous Meeting Minutes
Status on 2.40 third review
- Bob G: Public review has commenced on the the two items (Spec and mechanisms). As this is just a review of the delta from the last publications, we should not see too many changes/comments/. We do have some editorial changes to go through.
Bob G: I'll let folks know whether we will be likely to have a vote on the new committee spec and mechanisms to get them through to an OASIS wide organizational vote. We'll then be looking for SoUs to push that forward.
- Bob G: Once we have a OASIS Candidate Spec available we should look to some PR and press releases. Valerie is giving a presentation as mentioned on the last call. I will putting forward a presentation for RSA Conference in April of 2015 if anyone would like to contribute to that or be a part of it, please let me know. I'll also be looking at other means of broadcasting this status.
- Sven: I haven't received any response from the smartcard alliance for the November meeting for the US Government proposal so still waiting for that.
How to get new mechanisms out faster than v3.0 (AES-XTS, possibly others)/minor releases
- BobG : Moving forward post 2.40 - I've put some items into the document I've posted. Sven have you identified any items
- Sven : From a marketing perspective we should choose some items that would help[ folks who are turning to other interfaces. So if there are some easier/smaller issues (eg error codes), we should work on those sooner.
- Bob G : Can you bring forward a list for the next meeting?
- Sven : I believe so - I just need to understand the difference between a point release and full release. What is the better option smaller releases more often or a single larger release that fixes more things? It means consumers might be updating their implementations more/less often especially considering the release cycle of larger companies.
- Tim : for reference a quick release through OASIS is about 6 months and a major release is usually 12-18 months so we should look at the content list and break it out based on effort, time required and impact.
- Bob G : I believe we have a selection of items that would fit in both a major and minor release.
- Bob G : I would ask folks to have a look at the document I posted and I hope we can work on a minor release and a major release in parallel.
- Graham S : We're seeing requirements from some of the folks we work with, large banks etc, implementing disaster recovery on HSMs who are finding that the facilities for securing the exporting and importing using PKCS11 don't meet up to their security requirements. In the worst case an attacker might mix in some of his own P11 calls into the legitimate calls that the applications want to make and expose some values. The common solution is to make the important keys unextractable meaning that proprietary solutions are required to enable backup and this means no-interoperability and vendor lock-in. Building on the proposal from Doran (CKM_RSA_EAS_Keywrap). That small bit of functionality is very useful. I'm proposing to add an equivalent mechanism for AES encryption to provide an authenticated encryption mode. I'd also like to encode attributes into the into the authenticated data so on decrypt you have the same security attributes. I've posted a proposal and I'd appreciate some feedback on that.
- Bob R : I'd like to see some use cases on that as I'm not sure about security given I could use a non-PKCS11 device to decrypt that and work around that.
- Graham S : I'll work on a some use case content and add that in. Thanks Bob.
Statements of Use
Moving forward with v3.0
Topics for Next Call
- Bob G: Discuss taking an initial cut of the items that should go into the point release and move forward from there.
- Valerie: create 3.0 suggestion document, move 2.40 suggestions over into new 3.0 suggestion document. (not started, yet) (09042014.01)
- Bob: will make a first pass by going through meeting minutes. I will send to Valerie, who can clean it up and post to the wiki.(09042014.02) (Complete Aug 3, 2014)
- Valerie (et al): add new suggestions to the 3.0 wiki, so we can track if they have owners and are moving forward. (09042014.03)
- Bob G: how about I take time to write up a couple of paragraphs on how to get out a new mechanism to take to the team by the next meeting? (04062014.01)
- Tim H: send suggestions on how to handle minor updates prior to v3.0 to the list (16072014.01)
Motion to Adjourn
- Tim moved, Bob R seconded. No objections or abstentions or discussions. Adjourned 1:25PM US-PDT.