OASIS PKCS 11 TC Frequently Asked Questions

  1. What does the OASIS PKCS 11 Technical Committee do?

    The PKCS 11 Technical Committee addresses the need for ongoing enhancement and maintenance of PKCS #11, widely used across the industry as a core specification for cryptographic services. The committee defines requirements for enhancements to and maintenance of PKCS #11 as an API for devices that may hold cryptographic information and may perform cryptographic functions. These requirements include such areas as new mechanisms for implementation of the PKCS #11 application programming interface. Other areas of in-scope activity for the Committee include the specification of new PKCS #11 functionality in support of integration with other standards, particularly OASIS Key Management Interoperability Protocol (KMIP) and additional language bindings and support for new environments such as mobile. The Committee also engages in activities that support effective and interoperable implementation of PKCS #11, including developing guidance on the use of PKCS #11, supporting interoperability testing and coordinating reference implementations.

  2. What is PKCS #11?

    PKCS #11 defines the data types and functions available to an application using the Cryptoki application programming interface (API).

    PKCS #11 isolates an application from the details of the specifics of a cryptographic device. The application does not have to change to interface to devices offering the same cryptographic functions or to be able to run in a different environment; thus, the application is portable between devices from different vendors and devices operating in different environments. PKCS #11 was originally intended for cryptographic devices associated with a single user; hence the focus is on a single user’s keys and optionally a small set of associated certificates. However, PKCS #11 can also be used in a broader multi-user context. As the emphasis within PKCS #11 is on cryptography; although a device may perform useful non-cryptographic functions, definition of APIs for such functions is left to other interfaces.

    The PKCS #11 Specification provides the normative expression of the application programming interface for the standard, including objects, attributes, operations, mechanisms and other elements.

  3. What business needs does PKCS #11 address?

    In providing an API for devices that may hold cryptographic information and may perform cryptographic functions, PKCS #11 addresses the following business needs:

    • Protecting data with encryption is increasingly mandated by government and industry regulation and is the most common technology used to mitigate risks associated with data breaches. PKCS #11 provides a comprehensive and time-proven API for cryptographic operations in support of data protection.
    • Security devices used for protection of identity and for strong authentication of users are also supported by PKCS #11.
    • PKCS #11 enables choice of a wide range of devices from multiple vendors allowing the selection of the device most appropriate to addressing a specific security issue.
    • PKCS #11 is a widely adopted API for Hardware Security Modules, including for access to key material stored in these protected environments.
  4. How does PKCS #11 relate to other standards efforts?

    PKCS #11 is one of the family of standards called Public-Key Cryptography Standards (PKCS), originally developed under the leadership of and published by RSA Laboratories. Minimal further development is anticipated at this time for the other standards within the PKCS family, some of which remain under RSA leadership and others of which have been transferred to IETF.

    Activity in support of cryptographic standardization is also occurring in a number of other venues, including OASIS Technical Committees such the Key Management Interoperability Protocol (KMIP) Technical Committee, JCA (Java Cryptography Architecture) and JCE (Java Cryptography Extension) frameworks and under vendor sponsorship such as the Microsoft CNG (Cryptography Next Generation) APIs. Other standards groups working on cryptography-related standards include IEEE (P1619), IETF (KeyProv), ANSI (X9.31) and ISO (ISO/IEC 9796). The PKCS 11 Technical Committee seeks to align its technical activities and deliverables with other standardization initiatives in order to support harmonized vocabularies, avoid unnecessary duplication of effort, and promote interoperability and integration with respect to cryptographic objects and operations. Where appropriate, the OASIS PKCS 11 Technical Committee will establish formal TC Liaison relationships with other organizations working on related standards.