Ballot Details: Approve ck-ecdh2-derive-params for inclusion in PKCS#11 v3.0 (CLOSED)
|Ballot Question||Do you approve the proposal for ck-ecdh2-derive-params for inclusion in PKCS#11 v3.0?|
|Ballot Description||Proposal made to the PKCS#11 TC on November 8, 2017 in response to comments received for PKCS#11 2.40 Errata.
This proposal relates to Item 13 - ck-ecdh2-derive-params - https://www.oasis-open.org/apps/org/workgroup/pkcs11/download.php/61980/latest/ck-ecdh2-derive-params_tc.docx
VOTING CLOSED: Monday, 27 November 2017 @ 6:00 pm PST
|Open Date||Monday, 13 November 2017 @ 6:00 am PST|
|Close Date||Monday, 27 November 2017 @ 6:00 pm PST|
|Ballot Type||Official, as defined by organization policies and procedures|
|v2.40 Errata - Item 16 - ck-ecdh2-derive-params||Document||2017-11-07|
|Number of votes cast (excluding abstentions)||8|
|Eligible members who have voted||8 of 13||61.538%|
|Eligible members who have not voted||5 of 13||38.462%|
|Options with highest number of votes are bold|
|Option||# Votes||% of Total|
|Voter Name||Company||Vote||Time (UTC)||Comments|
|Bong, Dieter||Utimaco IS GmbH||Yes||2017-11-14 12:28:00||1|
|Corlett, Justin||Cryptsoft Pty Ltd.||Yes||2017-11-22 23:19:00|
|Hudson, Tim||Cryptsoft Pty Ltd.||Yes||2017-11-22 21:17:00|
|Relyea, Robert||Red Hat||Yes||2017-11-13 23:02:00||1|
|Scott, Greg||Cryptsoft Pty Ltd.||Yes||2017-11-14 01:12:00|
|Fenwick, Valerie||Intel Corporation||No||2017-11-21 23:34:00||1|
|Johnson, Darren||SafeNet, Inc.||No||2017-11-17 03:42:00||1|
|Rich, Bruce||Cryptsoft Pty Ltd.||No||2017-11-22 21:31:00||1|
|Cox, Tony||Cryptsoft Pty Ltd.||--|
|Fitzgerald, Indra||Micro Focus||--|
|Minder, Daniel||Utimaco IS GmbH||--|
|Yes||Do we want to point to the other hash kdf's we now have for other derive functions?
Utimaco IS GmbH
|Yes||I support Bobs comment. Maybe the text can reference the extended table 34 from https://www.oasis-open.org/apps/org/workgroup/pkcs11/download.php/61152/PKCS11_KDF_Proposal_Approved.zip
|No||sounds like this still needs some work.
Cryptsoft Pty Ltd.
|No||Too many outstanding issues. Bob's might be editorial (bit of a stretch on that), but Darren's are not.
|No||Sorry for the long comment, but I can only make one comment per ballot.
I also support Bob's comment. It may be easier moving forward if we updated the test for all the ECDH mechanisms so that they read "if the derivation function is CKD_NULL, else...". That way we do not need to update the list of KDFs if/when additional ones are added.
The proposal states that CK_ECDH2_DERIVE_PARAMS provides the parameters to CKM_ECMQV_DERIVE. Was that intentional? CKM_ECMQV_DERIVE already has a parameter CK_ECMQV_DERIVE_PARAMS and references X9.63 as the algorithm used. I expected to see the text for CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE updated to account for CK_ECDH2_DERIVE_PARAMS. Or additional mechanisms (For example CKM_ECDH2_DERIVE and CKM_ECDH2_COFACTOR_DERIVE) created that used CK_ECDH2_DERIVE_PARAMS. And I think we need to call out a standard that defines how to use the two key pairs, either SP800-56Ar1 or some other standard that defines 2-key ECDH.