idnits 2.17.1 draft-pechanec-pkcs11uri-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 1, 2010) is 5168 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4395 (Obsoleted by RFC 7595) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Pechanec 3 Internet-Draft Sun Microsystems, Inc. 4 Intended status: Standards Track D. Moffat 5 Expires: September 2, 2010 Oracle Corporation 6 March 1, 2010 8 The PKCS#11 URI Scheme 9 draft-pechanec-pkcs11uri-00 11 Abstract 13 This memo specifies a PKCS#11 Uniform Resource Identifier (URI) 14 Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, or 15 for identifying PKCS#11 tokens themselves. The URI is based on how 16 PKCS#11 objects are identified in the PKCS #11 Cryptographic Token 17 Interface Standard. 19 Status of this Memo 21 This Internet-Draft is submitted to IETF in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF), its areas, and its working groups. Note that 26 other groups may also distribute working documents as Internet- 27 Drafts. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt. 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html. 40 This Internet-Draft will expire on September 2, 2010. 42 Copyright Notice 44 Copyright (c) 2010 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. PKCS#11 URI Scheme Definition . . . . . . . . . . . . . . . . . 3 61 2.1. PKCS#11 URI Scheme Name . . . . . . . . . . . . . . . . . . 3 62 2.2. PKCS#11 URI Scheme Status . . . . . . . . . . . . . . . . . 3 63 2.3. PKCS#11 URI Scheme Syntax . . . . . . . . . . . . . . . . . 3 64 3. Examples of PKCS#11 URI Schemes . . . . . . . . . . . . . . . . 4 65 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 66 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 67 6. Normative References . . . . . . . . . . . . . . . . . . . . . 6 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 70 1. Introduction 72 The PKCS #11: Cryptographic Token Interface Standard [pkcs11_spec] 73 specifies an API, called Cryptoki, for devices which hold 74 cryptographic information and perform cryptographic functions. 75 Cryptoki, pronounced crypto-key and short for cryptographic token 76 interface, follows a simple object-based approach, addressing the 77 goals of technology independence (any kind of device may be used?) 78 and resource sharing (multiple applications may access multiple 79 devices), presenting applications with a common, logical view of the 80 device - a cryptographic token. 82 It is desirable for applications or libraries that work with PKCS#11 83 tokens to accept a common identifier that consumers could use to 84 identify an existing PKCS#11 object in a PKCS#11 token, or an 85 existing token itself. The set of object types that can be stored in 86 a PKCS#11 token includes a public key, a private key, a certificate, 87 a secret key, and a data object. These objects can be uniquely 88 identifiable via the PKCS#11 URI scheme defined in this document. 89 The set of attributes that identifies a PKCS#11 token can contain a 90 token label, a manufacturer name, a serial number, and a token model. 92 Note that the PKCS#11 URI is not intended to be used to create new 93 PKCS#11 objects in tokens, or to create PKCS#11 tokens. It is solely 94 to be used to identify existing objects or existing tokens. 96 2. PKCS#11 URI Scheme Definition 98 In accordance with [RFC4395], this section provides the information 99 required to register the PKCS#11 URI scheme. 101 2.1. PKCS#11 URI Scheme Name 103 pkcs11 105 2.2. PKCS#11 URI Scheme Status 107 Permanent. 109 2.3. PKCS#11 URI Scheme Syntax 111 The PKCS#11 URI scheme is a sequence of attribute value pairs. Given 112 that the PKCS#11 specification allows for any byte value to be used 113 in the PKCS#11 attributes used, any byte sequence must also be 114 allowed in the URI. Semicolons may be escaped with a backslash. 116 A PKCS#11 URL takes the form (for explanation of Augmented BNF, see 117 [RFC5234]): 119 pk11-URI = pk11-scheme ":" pk11-identifier 120 pk11-scheme = "pkcs11" 121 pk11-identifier = *1(pk11-attr *(%x3B pk11-attr)) 122 pk11-attr = pk11-token / pk11-manufacturer / 123 pk11-serial / pk11-model / pk11-object / 124 pk11-objecttype / pk11-passphrasedialog 125 pk11-semicolon = "\" %x3B 126 pk11-label = *(%x00-3A / %x3C-FF / pk11-semicolon) 127 pk11-token = "token" "=" pk11-label 128 pk11-manufacturer = "manufacturer" "=" pk11-label 129 pk11-serial = "serial" "=" pk11-label 130 pk11-model = "model" "=" pk11-label 131 pk11-object = "object" "=" pk11-label 132 pk11-objecttype = "objecttype" "=" ("public" / "private" / 133 "cert" / "secretkey" / "data") 134 pk11-passphrasedialog = "passphrasedialog" "=" "builtin" / exec 135 exec = "exec" ":" filename 136 filename = 1*(%x00-3A / %x3C-FF / pk11-semicolon) 138 While the PKCS#11 specification limits the length of some fields, eg. 139 the manufacturer label can be up to thirty-two characters long, the 140 PKCS#11 URI does not impose such limitations. It is up to the 141 consumer of the PKCS#11 URI to perform any necessary sanity checks. 143 The attribute "token" represents a token label, the attribute 144 "manufacturer" represents a manufacturer ID, the attribute "serial" 145 represents a token serial number, the attribute "model" represents a 146 token model, the attribute "object" represents a PKCS#11 object 147 label, the attribute "objecttype" represents the type of the object, 148 and the attribute "passphrasedialog" specifies how the application or 149 library should ask for the token PIN, if needed. The "builtin" value 150 suggests that the application or the library should use whatever 151 means of reading the PIN it can provide, and the "exec:" 152 value specifies an external application whose standard output should 153 be used as the token PIN. 155 3. Examples of PKCS#11 URI Schemes 157 This section contains some examples of how PKCS#11 tokens or PKCS#11 158 token objects can be identified using the PKCS#11 URI scheme. 160 An empty PKCS#11 URI might be useful to PKCS#11 consumers: 162 pkcs11: 164 One of the simplest and most useful forms might be a PKCS#11 URI that 165 specifies only an object label and its type. The default token is 166 used so the URI does not specify it. Note that when specifying 167 public objects, a token PIN might not be required. 169 pkcs11:object=my-pubkey;objecttype=public 171 Specifying a private key will usually need to use the 172 "passphrasedialog" attribute: 174 pkcs11:object=my-key;objecttype=private;passphrasedialog=builtin 176 The following example identifies a certificate in the software token. 177 Note that all attributes aside from "passphrasedialog" and 178 "objecttype" may have an empty value. In our case, "serial" is 179 empty. It's up to the consumer of the URI to perform necessary 180 checks if that is not allowed. Also note that in all three of the 181 following examples, newlines and spaces were inserted for better 182 readability. Usage of newlines or spaces after semicolons is illegal 183 in the PKCS#11 URI scheme defined above. 185 pkcs11:token=Software PKCS#11 softtoken; 186 manufacturer=Snake Oil, Inc.; 187 serial=; 188 model=1.0; 189 object=my-certificate; 190 objecttype=cert; 191 passphrasedialog=exec:/bin/askpass.sh 193 The token alone can be identified without specifying any PKCS#11 194 objects. A PIN may still be needed to list all objects, for example. 196 pkcs11:token=Sun Software PKCS#11 softtoken; 197 manufacturer=Sun Microsystems, Inc.; 198 passphrasedialog=exec:/bin/askpass.sh 200 The following example shows that the attribute value can contain a 201 semicolon. In this case, it must be escaped. 203 pkcs11:token=The token\; created by Joe; 204 object=my-certificate; 205 objecttype=cert; 206 passphrasedialog=exec:/bin/askpass.sh 208 4. IANA Considerations 210 This document registers a URI scheme. The registration template can 211 be found in Section 2 of this document. 213 5. Security Considerations 215 There are many security considerations for URI schemes discussed in 216 [RFC3986]. 218 Given that the PKCS#11 URI is also supposed to be used in command 219 line arguments to running programs, and those arguments can be world 220 readable on some systems, the URI intentionaly does not allow for 221 specifying the PKCS#11 token PIN as a URI attribute. 223 6. Normative References 225 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 226 Resource Identifier (URI): Generic Syntax", RFC 3986, 227 STD 66, January 2005. 229 [RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and 230 Registration Procedures for New URI Schemes", RFC 4395, 231 February 2006. 233 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 234 Specifications: ABNF", RFC 5234, January 2008. 236 [pkcs11_spec] 237 RSA Laboratories, "PKCS #11: Cryptographic Token Interface 238 Standard v2.20", June 2004. 240 Authors' Addresses 242 Jan Pechanec 243 Sun Microsystems, Inc. 244 The Park, building 3 245 V parku 2308/8 246 Prague 14800 247 CZ 249 Phone: +420 233 009 380 250 Email: Jan.Pechanec@Sun.COM 251 URI: http://www.sun.com 252 Darren J. Moffat 253 Oracle Corporation 254 Guillemont Park 255 Building 3 256 Camberley GU17 9QG 257 UK 259 Email: Darren.Moffat@Sun.COM 260 URI: http://www.oracle.com