< draft-pechanec-pkcs11uri-20.txt		draft-pechanec-pkcs11uri-21.txt >
	Network Working Group J. Pechanec		Network Working Group J. Pechanec
	Internet-Draft D. Moffat		Internet-Draft D. Moffat
	Intended status: Standards Track Oracle Corporation		Intended status: Standards Track Oracle Corporation
	Expires: August 9, 2015 February 5, 2015		Expires: August 17, 2015 February 13, 2015
	The PKCS#11 URI Scheme		The PKCS#11 URI Scheme
	draft-pechanec-pkcs11uri-20		draft-pechanec-pkcs11uri-21
	Abstract		Abstract
	This memo specifies a PKCS#11 Uniform Resource Identifier (URI)		This memo specifies a PKCS#11 Uniform Resource Identifier (URI)
	Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, and		Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, and
	also for identifying PKCS#11 tokens, slots or libraries. The URI is		also for identifying PKCS#11 tokens, slots or libraries. The URI is
	based on how PKCS#11 objects, tokens, slots, and libraries are		based on how PKCS#11 objects, tokens, slots, and libraries are
	identified in the PKCS#11 Cryptographic Token Interface Standard.		identified in the PKCS#11 Cryptographic Token Interface Standard.
	Status of This Memo		Status of This Memo
	skipping to change at page 1, line 34 ¶		skipping to change at page 1, line 34 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on August 9, 2015.		This Internet-Draft will expire on August 17, 2015.
	Copyright Notice		Copyright Notice
	Copyright (c) 2015 IETF Trust and the persons identified as the		Copyright (c) 2015 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 3, line 48 ¶		skipping to change at page 3, line 48 ¶
	PKCS#11 API the query component module attributes can be used.		PKCS#11 API the query component module attributes can be used.
	However, the PKCS#11 URI consumer can always decide to provide its		However, the PKCS#11 URI consumer can always decide to provide its
	own adequate user interface to locate and load PKCS#11 API producers.		own adequate user interface to locate and load PKCS#11 API producers.
	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",		The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this		"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
	document are to be interpreted as described in [RFC2119].		document are to be interpreted as described in [RFC2119].
	2. Contributors		2. Contributors
	Stef Walter, Nikos Mavrogiannopoulos, Nico Williams, Dan Winship, and		Stef Walter, Nikos Mavrogiannopoulos, Nico Williams, Dan Winship,
	Jaroslav Imrich contributed to the development of this document.		Jaroslav Imrich, and Mark Phalan contributed to the development of
			this document.
	3. PKCS#11 URI Scheme Definition		3. PKCS#11 URI Scheme Definition
	In accordance with [RFC4395], this section provides the information		In accordance with [RFC4395], this section provides the information
	required to register the PKCS#11 URI scheme.		required to register the PKCS#11 URI scheme.
	3.1. PKCS#11 URI Scheme Name		3.1. PKCS#11 URI Scheme Name
	pkcs11		pkcs11
	3.2. PKCS#11 URI Scheme Status		3.2. PKCS#11 URI Scheme Status
	Permanent.		Permanent.
	3.3. PKCS#11 URI Scheme Syntax		3.3. PKCS#11 URI Scheme Syntax
	The PKCS#11 URI is a sequence of attribute value pairs separated by a		The PKCS#11 URI is a sequence of attribute value pairs separated by a
	semicolon that form a one level path component, optionally followed		semicolon that form a one level path component, optionally followed
	by a query. In accordance with Section 2.5 of [RFC3986], the textual		by a query. Except for the value of the "id" attribute defined later
	data SHOULD first be encoded as octets according to the UTF-8		in this section, these attribute value pairs and query components are
	character encoding [RFC3629]; then only those octets that do not		composed entirely of textual data and therefore SHOULD all first be
	correspond to characters in the unreserved set or to permitted		encoded as octets according to the UTF-8 character encoding
	characters from the reserved set should be percent-encoded. The only		[RFC3629], in accordance with Section 2.5 of [RFC3986]; then only
	PKCS#11 URI attribute defined in this document which MAY contain non-		those octets that do not correspond to characters in the unreserved
	textual data is the "id" attribute, as stated later in this section.		set or to permitted characters from the reserved set SHOULD be
	When working with UTF-8 strings with characters outside the US-ASCII		percent-encoded. Note that the value of the "id" attribute SHOULD
	character sets, see important caveats in Section 3.5 and Section 6.		NOT be encoded as UTF-8 because it can contain non-textual data,
			instead it SHOULD be entirely percent-encoded. See important caveats
			in Section 3.5 and Section 6 regarding working with UTF-8 strings
			containing characters outside the US-ASCII character set.
	Grammar rules "unreserved" and "pct-encoded" in the PKCS#11 URI		Grammar rules "unreserved" and "pct-encoded" in the PKCS#11 URI
	specification below are imported from [RFC3986]. As a special case,		specification below are imported from [RFC3986]. As a special case,
	note that according to Appendix A of [RFC3986], a space must be		note that according to Appendix A of [RFC3986], a space must be
	percent-encoded.		percent-encoded.
	The PKCS#11 specification imposes various limitations on the value of		The PKCS#11 specification imposes various limitations on the value of
	attributes, be it a more restrictive character set for the "serial"		attributes, be it a more restrictive character set for the "serial"
	attribute or fixed sized buffers for almost all the others, including		attribute or fixed sized buffers for almost all the others, including
	"token", "manufacturer", and "model" attributes. The syntax of the		"token", "manufacturer", and "model" attributes. The syntax of the
	skipping to change at page 8, line 19 ¶		skipping to change at page 8, line 19 ¶
	Table 1: Mapping between URI path component attributes and PKCS#11		Table 1: Mapping between URI path component attributes and PKCS#11
	specification names		specification names
	The following table presents mapping between the "type" attribute		The following table presents mapping between the "type" attribute
	values and corresponding PKCS#11 object classes.		values and corresponding PKCS#11 object classes.
	+-----------------+----------------------+		+-----------------+----------------------+
	| Attribute value | PKCS#11 object class |		| Attribute value | PKCS#11 object class |
	+-----------------+----------------------+		+-----------------+----------------------+
	| public | CKO_PUBLIC_KEY |
	| private | CKO_PRIVATE_KEY |
	| cert | CKO_CERTIFICATE |		| cert | CKO_CERTIFICATE |
	| secret-key | CKO_SECRET_KEY |
	| data | CKO_DATA |		| data | CKO_DATA |
			| private | CKO_PRIVATE_KEY |
			| public | CKO_PUBLIC_KEY |
			| secret-key | CKO_SECRET_KEY |
	+-----------------+----------------------+		+-----------------+----------------------+
	Table 2: Mapping between the "type" attribute and PKCS#11 object		Table 2: Mapping between the "type" attribute and PKCS#11 object
	classes		classes
	The query component attribute "pin-source" specifies where the		The query component attribute "pin-source" specifies where the
	application or library should find the normal user's token PIN, the		application or library should find the normal user's token PIN, the
	"pin-value" attribute provides the normal user's PIN value directly,		"pin-value" attribute provides the normal user's PIN value directly,
	if needed, and the "module-name" and "module-path" attributes modify		if needed, and the "module-name" and "module-path" attributes modify
	default settings for accessing PKCS#11 providers. For the definition		default settings for accessing PKCS#11 providers. For the definition
	skipping to change at page 8, line 45 ¶		skipping to change at page 8, line 45 ¶
	The ABNF rules above is a best effort definition and this paragraph		The ABNF rules above is a best effort definition and this paragraph
	specifies additional constraints. The PKCS#11 URI MUST NOT contain		specifies additional constraints. The PKCS#11 URI MUST NOT contain
	duplicate attributes of the same name in the URI path component. It		duplicate attributes of the same name in the URI path component. It
	means that each attribute may be present at most once in the PKCS#11		means that each attribute may be present at most once in the PKCS#11
	URI path component. Aside from the query attributes defined in this		URI path component. Aside from the query attributes defined in this
	document, duplicate (vendor) attributes MAY be present in the URI		document, duplicate (vendor) attributes MAY be present in the URI
	query component and it is up to the URI consumer to decide on how to		query component and it is up to the URI consumer to decide on how to
	deal with such duplicates.		deal with such duplicates.
	The whole value of the "id" attribute SHOULD be percent-encoded since		As stated earlier in this section, the value of the "id" attribute
	the corresponding PKCS#11 "CKA_ID" object attribute can contain		can contain non-textual data. This is because the corresponding
	arbitrary binary data.		PKCS#11 "CKA_ID" object attribute can contain arbitrary binary data.
			Therefore, the whole value of the "id" attribute SHOULD be percent-
			encoded.
	The "library-version" attribute represents the major and minor		The "library-version" attribute represents the major and minor
	version number of the library and its format is "M.N". Both numbers		version number of the library and its format is "M.N". Both numbers
	are one byte in size, see the "libraryVersion" member of the CK_INFO		are one byte in size, see the "libraryVersion" member of the CK_INFO
	structure in [PKCS11] for more information. Value "M" for the		structure in [PKCS11] for more information. Value "M" for the
	attribute MUST be interpreted as "M" for the major and "0" for the		attribute MUST be interpreted as "M" for the major and "0" for the
	minor version of the library. If the attribute is present the major		minor version of the library. If the attribute is present the major
	version number is REQUIRED. Both "M" and "N" MUST be decimal		version number is REQUIRED. Both "M" and "N" MUST be decimal
	numbers.		numbers.
End of changes. 9 change blocks.
	20 lines changed or deleted		26 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/