Network Working Group J. Pechanec
Internet-Draft Sun Microsystems, Inc.
Intended status: Standards Track D. Moffat
Expires: September 2, 2010 Oracle Corporation
March 1, 2010
The PKCS#11 URI Scheme
draft-pechanec-pkcs11uri-00
Abstract
This memo specifies a PKCS#11 Uniform Resource Identifier (URI)
Scheme for identifying PKCS#11 objects stored in PKCS#11 tokens, or
for identifying PKCS#11 tokens themselves. The URI is based on how
PKCS#11 objects are identified in the PKCS #11 Cryptographic Token
Interface Standard.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 2, 2010.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Pechanec & Moffat Expires September 2, 2010 [Page 1]
Internet-Draft The PKCS#11 URI Scheme March 2010
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. PKCS#11 URI Scheme Definition . . . . . . . . . . . . . . . . . 3
2.1. PKCS#11 URI Scheme Name . . . . . . . . . . . . . . . . . . 3
2.2. PKCS#11 URI Scheme Status . . . . . . . . . . . . . . . . . 3
2.3. PKCS#11 URI Scheme Syntax . . . . . . . . . . . . . . . . . 3
3. Examples of PKCS#11 URI Schemes . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
6. Normative References . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6
Pechanec & Moffat Expires September 2, 2010 [Page 2]
Internet-Draft The PKCS#11 URI Scheme March 2010
1. Introduction
The PKCS #11: Cryptographic Token Interface Standard [pkcs11_spec]
specifies an API, called Cryptoki, for devices which hold
cryptographic information and perform cryptographic functions.
Cryptoki, pronounced crypto-key and short for cryptographic token
interface, follows a simple object-based approach, addressing the
goals of technology independence (any kind of device may be used?)
and resource sharing (multiple applications may access multiple
devices), presenting applications with a common, logical view of the
device - a cryptographic token.
It is desirable for applications or libraries that work with PKCS#11
tokens to accept a common identifier that consumers could use to
identify an existing PKCS#11 object in a PKCS#11 token, or an
existing token itself. The set of object types that can be stored in
a PKCS#11 token includes a public key, a private key, a certificate,
a secret key, and a data object. These objects can be uniquely
identifiable via the PKCS#11 URI scheme defined in this document.
The set of attributes that identifies a PKCS#11 token can contain a
token label, a manufacturer name, a serial number, and a token model.
Note that the PKCS#11 URI is not intended to be used to create new
PKCS#11 objects in tokens, or to create PKCS#11 tokens. It is solely
to be used to identify existing objects or existing tokens.
2. PKCS#11 URI Scheme Definition
In accordance with [RFC4395], this section provides the information
required to register the PKCS#11 URI scheme.
2.1. PKCS#11 URI Scheme Name
pkcs11
2.2. PKCS#11 URI Scheme Status
Permanent.
2.3. PKCS#11 URI Scheme Syntax
The PKCS#11 URI scheme is a sequence of attribute value pairs. Given
that the PKCS#11 specification allows for any byte value to be used
in the PKCS#11 attributes used, any byte sequence must also be
allowed in the URI. Semicolons may be escaped with a backslash.
Pechanec & Moffat Expires September 2, 2010 [Page 3]
Internet-Draft The PKCS#11 URI Scheme March 2010
A PKCS#11 URL takes the form (for explanation of Augmented BNF, see
[RFC5234]):
pk11-URI = pk11-scheme ":" pk11-identifier
pk11-scheme = "pkcs11"
pk11-identifier = *1(pk11-attr *(%x3B pk11-attr))
pk11-attr = pk11-token / pk11-manufacturer /
pk11-serial / pk11-model / pk11-object /
pk11-objecttype / pk11-passphrasedialog
pk11-semicolon = "\" %x3B
pk11-label = *(%x00-3A / %x3C-FF / pk11-semicolon)
pk11-token = "token" "=" pk11-label
pk11-manufacturer = "manufacturer" "=" pk11-label
pk11-serial = "serial" "=" pk11-label
pk11-model = "model" "=" pk11-label
pk11-object = "object" "=" pk11-label
pk11-objecttype = "objecttype" "=" ("public" / "private" /
"cert" / "secretkey" / "data")
pk11-passphrasedialog = "passphrasedialog" "=" "builtin" / exec
exec = "exec" ":" filename
filename = 1*(%x00-3A / %x3C-FF / pk11-semicolon)
While the PKCS#11 specification limits the length of some fields, eg.
the manufacturer label can be up to thirty-two characters long, the
PKCS#11 URI does not impose such limitations. It is up to the
consumer of the PKCS#11 URI to perform any necessary sanity checks.
The attribute "token" represents a token label, the attribute
"manufacturer" represents a manufacturer ID, the attribute "serial"
represents a token serial number, the attribute "model" represents a
token model, the attribute "object" represents a PKCS#11 object
label, the attribute "objecttype" represents the type of the object,
and the attribute "passphrasedialog" specifies how the application or
library should ask for the token PIN, if needed. The "builtin" value
suggests that the application or the library should use whatever
means of reading the PIN it can provide, and the "exec:<filename>"
value specifies an external application whose standard output should
be used as the token PIN.
3. Examples of PKCS#11 URI Schemes
This section contains some examples of how PKCS#11 tokens or PKCS#11
token objects can be identified using the PKCS#11 URI scheme.
An empty PKCS#11 URI might be useful to PKCS#11 consumers:
pkcs11:
Pechanec & Moffat Expires September 2, 2010 [Page 4]
Internet-Draft The PKCS#11 URI Scheme March 2010
One of the simplest and most useful forms might be a PKCS#11 URI that
specifies only an object label and its type. The default token is
used so the URI does not specify it. Note that when specifying
public objects, a token PIN might not be required.
pkcs11:object=my-pubkey;objecttype=public
Specifying a private key will usually need to use the
"passphrasedialog" attribute:
pkcs11:object=my-key;objecttype=private;passphrasedialog=builtin
The following example identifies a certificate in the software token.
Note that all attributes aside from "passphrasedialog" and
"objecttype" may have an empty value. In our case, "serial" is
empty. It's up to the consumer of the URI to perform necessary
checks if that is not allowed. Also note that in all three of the
following examples, newlines and spaces were inserted for better
readability. Usage of newlines or spaces after semicolons is illegal
in the PKCS#11 URI scheme defined above.
pkcs11:token=Software PKCS#11 softtoken;
manufacturer=Snake Oil, Inc.;
serial=;
model=1.0;
object=my-certificate;
objecttype=cert;
passphrasedialog=exec:/bin/askpass.sh
The token alone can be identified without specifying any PKCS#11
objects. A PIN may still be needed to list all objects, for example.
pkcs11:token=Sun Software PKCS#11 softtoken;
manufacturer=Sun Microsystems, Inc.;
passphrasedialog=exec:/bin/askpass.sh
The following example shows that the attribute value can contain a
semicolon. In this case, it must be escaped.
pkcs11:token=The token\; created by Joe;
object=my-certificate;
objecttype=cert;
passphrasedialog=exec:/bin/askpass.sh
Pechanec & Moffat Expires September 2, 2010 [Page 5]
Internet-Draft The PKCS#11 URI Scheme March 2010
4. IANA Considerations
This document registers a URI scheme. The registration template can
be found in Section 2 of this document.
5. Security Considerations
There are many security considerations for URI schemes discussed in
[RFC3986].
Given that the PKCS#11 URI is also supposed to be used in command
line arguments to running programs, and those arguments can be world
readable on some systems, the URI intentionaly does not allow for
specifying the PKCS#11 token PIN as a URI attribute.
6. Normative References
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", RFC 3986,
STD 66, January 2005.
[RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and
Registration Procedures for New URI Schemes", RFC 4395,
February 2006.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 5234, January 2008.
[pkcs11_spec]
RSA Laboratories, "PKCS #11: Cryptographic Token Interface
Standard v2.20", June 2004.
Authors' Addresses
Jan Pechanec
Sun Microsystems, Inc.
The Park, building 3
V parku 2308/8
Prague 14800
CZ
Phone: +420 233 009 380
Email: Jan.Pechanec@Sun.COM
URI: http://www.sun.com
Pechanec & Moffat Expires September 2, 2010 [Page 6]
Internet-Draft The PKCS#11 URI Scheme March 2010
Darren J. Moffat
Oracle Corporation
Guillemont Park
Building 3
Camberley GU17 9QG
UK
Email: Darren.Moffat@Sun.COM
URI: http://www.oracle.com
Pechanec & Moffat Expires September 2, 2010 [Page 7]
