May 24, 2017 Meeting Minutes - Approved
Meeting commenced 1:02 PM PST
- Roll call (Ton C.) - quorum achieved
- Roll call
- Review / approval of the agenda
- Review of previous meeting minutes (May 10, 2017)
- Spec additions (voice-vote vs full ballot)
- Deadlines (Tony C.)
Items from public review comments on 2.40 Errata 01 that TC wanted to try to take action on for 3.0 - proposals required (Comments: https://www.oasis-open.org/apps/org/workgroup/pkcs11/download.php/58032 )
- Item 12 – make the doc match the header file wrt CK_TLS_MAC_PARAMS (Chris Z)
- Item 20 – Tells people to look at the wiki for information on TLS 1.2 mechanisms. 2 problems: info is NOT on the wiki and we should not reference the wiki for normative information (needs owner)
- Item 13 - ECDH2 derive params are not in the docs, but in the header file. Anyone volunteer to write the text for these mechanisms? (needs owner)
- Item 21 – CKM_TLS12_KDF is present in headers however it is not described in the docs. provide proposal for the proposed documentation content for header file items noted (Needs owner)
- Item 14 - Definitions of CKK_MD5_HMAC, CKK_RIPEMD128_HMAC and CKK_RIPEMD160_HMAC were merged from draft of v2.30. They were not present in v2.40 and currently are not described in the docs.( Bob R)
- Item 15 - Item 15 - Definitions of CKK_SHA_1_HMAC, CKK_SHA256_HMAC, CKK_SHA384_HMAC, CKK_SHA512_HMAC, CKK_SHA224_HMAC were merged from draft of v2.30. Their values were not present in v2.40. This should be at least mentioned in errata docs. (Bob R)
- Item 18 - Definitions of CK_AES_GCM_PARAMS and CK_AES_CCM_PARAMS structures are completely new in v2.40e1 headers and they are already marked as deprecated. This may be a leftover from v2.30 headers (see #2). It is strange to see a new structure being introduced and deprecated in the same time. provide proposal for the proposed documentation content for header file items noted (Bob R)
- Item 17 – Definitions of CKA_DERIVE_TEMPLATE is completely new in v2.40e1 headers. It was not present in any older version and currently is not described in the docs. This may be a leftover from v2.30 headers (see #2). (Tim H)
- Additional ECC Curves (Darren J)
- KMIP Mappings (Tim H)
C_LoginUser (Tim H)
- IPsec Derive (Bob R)
- Provisioning (Bob R)
- SP-800-108 - KDF (Darren J)
- GCM/CCM Errors (David G)
- V 3.1
Testing Profiles (Mark J & Anthony B.)
- Associating Attributes to Wrapped Keys (Graham S)
DSA text improvements (Dina K, Bob R & Tony C)
- TLS text improvements (Owner required)
- CKM_NULL (Owner required)
- Blockchain (David)
- Call for late arrivals
- Set next meeting date
Motion to approve Agenda
- Tim moved. Dieter seconded. No objections, comments or abstentions. Motion approved.
Motion to approve meeting minutes
Tim moved. Bruce seconded. Comments only that we should address the error of the accidentally opened ballot by having a motion today to open a ballot for C_LoginUser. No objections or abstentions. Minutes approved.
Spec Additions (voice-vote vs full ballot)
- Tony has not received any additional comments, neither have Bob or Valerie.
- Valerie's comment is if we go to using voice votes for more obvious motions, then someone needs to keep a list of these on these on the wiki, but she doesn't have time.
- Tony suggested each proposal owner do it. Valerie has concerns it won't get done, unless we formalize a casual discussion on "bringing a proposal through PKCS11 TC", so she has volunteered to do it now with the plea that people PLEASE verify their proposals (voice or ballot) are captured. Tony agrees we should work on the "bring a proposal" forward at a later date.
Deadlines (Tony C.)
- Proposals aren't all done, yet, do we need more time? Last date for consideration in v 3.0 would be decided on June 7, so proposals must be uploaded or sent to the mailing list by May 31. Nothing will be accepted after it. No objections or comments against.
Valerie presented last week at ICMC17 on "what's in 3.0", a well attended slot with interested folks. Valerie special thanks to reviewers, particularly Tim & Dieter for catching things she missed. Comments received by email sent to reflector. (Slides https://www.oasis-open.org/apps/org/workgroup/pkcs11/download.php/60816/ICMC2017-PKCS11.pdf )
Items from public review comments on 2.40 Errata 01 that TC wanted to try to take action on for 3.0 - proposals required.
Item 12 – make the doc match the header file wrt CK_TLS_MAC_PARAMS (Chris Z)
- Chris out, deferred.
Item 20 – Tells people to look at the wiki for information on TLS 1.2 mechanisms. 2 problems: info is NOT on the wiki and we should not reference the wiki for normative information (Chris Z?)
- Motion done on 10 May meeting means this will go to Chris, and cleared from agenda.
- Anyone able to help? Needed for 3.0, can't really leave it out. This is a 2 key derivation scheme. Darren Johnson to send info to Tony, Tony will take a stab at writing this up. Tony's concerned this may be multiple impacted mechanisms.
- Tim: THis comes with companion item like 21, will need some prose.
- Bob: could Darren provide the mechanism param, since he's actually implemented it?
- Darren: there is a second key handle for a second private key. Are there other standards that may require 2 key schemes?
- Tony: please do help out with review.
21 – CKM_TLS12_KDF is present in headers however it is not described in the docs. provide proposal for the proposed documentation content for header file items noted (Needs owner)
- Tony will take a crack at this as well, as per discussion for item 13
- closed, recommendation is to remove from header files
- closed as fixed
Item 16 - Definitions of CKM_ECDSA_SHA224, CKM_ECDSA_SHA256, CKM_ECDSA_SHA384 and CKM_ECDSA_SHA512 are completely new in v2.40e1 headers. They were not present in any older version and currently are not described in the docs. This may be a leftover from v2.30 headers (see #2). (Bob R?)
- decided on option 3 to write more text
- closed, not an issue, no change required. We accepted 2.30 as "existing" but they were not right so were deprecated.
Item 19 – Definitions of CKD_SHA224_KDF, CKD_SHA256_KDF, CKD_SHA384_KDF, CKD_SHA512_KDF and CKD_CPDIVERSIFY_KDF are completely new in v2.40e1 headers. This may be a leftover from v2.30 headers (see #2). (Bob R?)
- Requires some text, coming from bob very soon.
- This was mixed up in the 10 May 2017 minutes, which resulted in the wrong ballot being opened. Tony will take the action to open the correct ballot.
Additional ECC Curves (Darren J)
- Still trying to get together with Bob on this. Send an email to BOB. Bob is not sure what response is needed, and he's lost context. Darren will resend and set up time to talk w/Bob.
KMIP Mappings (Tim H)
- no update.
C_LoginUser (Tim H)
Ballot inadvertently opened, due to typo in 10 May minutes. To correct the mistake, we will make the motion today for C_LoginUser
Tim moves to open a ballot on C_LoginUser proposal he uploaded. Mark seconds. No objections, abstentions or comments. Motion approved.
IPsec Derive (Bob R)
- no update, should have one by next week.
Provisioning (Bob R)
- Sent two updated documents. 1 an update on provisioning and one is an additional profile. Tony asks folks to please review so we can sign off at our next meeting.
SP-800-108 - KDF (Darren J)
- Almost finished, will forward it out and hoping it's not too big for still making 3.0. We've been discussing, so it should be okay.
GCM/CCM Errors (David G)
- fairly straight forward, except the issue with CK_ULONG which will overflow on 32-bit platforms. Want to take it down by 1, NIST let's you go to 296 bits, but they recommend 96. Bob is happy with this, as long as we will still be able to do what NIST wants. Resend by May 31. bob notes to look at the current GCM in Bob's proposal.
V 3.1 (3.10? 3.01?)
Tony, most OASIS standards don't have a 2 digit revisions. Valerie noted we've had a history in PKCS11 of using two digits. Bob is leaning toward 3.10. Tim noted that OASIS doesn't care what we call it. We just have to be consistent with our minor version number. Valerie's concerned that some programmers in future won't get that 3.10 is bigger than 3.9, especially considering use of text in C_GetFunctionLists()
- Tony will add for future discussion.
- Bob notes we may adjust version number depending on how much stuff we put in it.
Testing Profiles (Mark J & Anthony B.)
- No comments
Associating Attributes to Wrapped Keys (Graham S)
- No graham, deferred.
DSA text improvements (XX, Bob R & Tony C)
* still need new owners.
TLS text improvements (Owner required)
CKM_NULL (Owner required)
=== Blockchain (David)===
- No update today.
Call for late arrivals
- no late arrivals.
- June 7, 2017
Motion to Adjourn
- Tim moved. Bruce seconded. No objections, comments or abstentions. Motion approved.