Changes

The file format consists of name/value pairs of the form ''name''=''value''.

=== Recognized Names:===

'''library ''' - This specifies the path to the pkcs #11 library. '''name ''' - This specifies the name of the pkcs #11 library. '''parameter ''' - This specifies a pkcs #11 library parameter with the application must pass to the pkcs #11 library at C_Initialize() time (see below).

name value pairs which are used to specify application specific parametersconfiguration for other applications. Of course these application/libraries should be able to parse their own

to describe the pkcs PKCS #11 library in any UI it may have.

If the parameter is not specified, no parameters are passed to the PKCS #11 module.

=== Parameter Passing:===

Here are the NSS Application specific parameters which I intend to in use. This data is data that I currently store in secmod.db, or intend to store there in the near future. This isn't part of the generic spec(that is other applications need not parse it, but I include it to see if anyone thinks some of these valuse should be nor pkcs #11promoted to the next level upmodules need supply them. The only ones that seem to me to be candidates would be cipherOrder, trustOrder, and perhaps some of the slotParams

'''NSS'''="''nss_params''" ''nss_params '' are themselves name/value pairs, parsed with the same rules described above. Valid names inside nss_params are: '''flags ''' - comma separated list of flag values, parsed case-insensitive. Valid flag values are: '''internal ''' - this library is actually the Netscape internal library '''fips ''' - this library is the Netscape internal fips library. moduleListSource '''critical''' - if this library can cannot be queried loaded, completely fail initialization '''moduleDB''' - this library includes NSS specific functions to supply additional module specs for lists of more loading. '''moduleDBOnly''' - this library has no PKCS #11 functions and is only used for loading additional modules to load. '''trustOrder ''' - integer value specifying the order in which the trust information for certificates specified by tokens on this pkcs #11 library should be rolled up (this option will make more sense once I publish the other proposal I have promised). '0' means that tokens on this library should not supply trust information (default). The relative order of two pkcs#11 libraries which have the same trustOrder value is undefined. '''cipherOrder ''' - integer value specifiying the order in which tokens are searched when looking for a token to do a generic operation (DES/Hashing, etc). '''ciphers ''' - comma separated list of ciphers this token will enable that isn't already enabled by the library (currently only '''FORTEZZA ''' is defined) (case-insensitive).. '''slotParams ''' - space separated list of name/value pairs where the name is a slotID and the value is a space sparated list of parameters related to that slotID. Valid slotParams values are: '''slotFlags''' - comma separated list of cipher groups which this slot is expected to be the default implementation for (case-insensitive). Valid flags are: '''RSA''' - This token should be used for all RSA operations (other than Private key operations where the key lives in another token). '''DSA''' - This token should be used for all DSA operations (other than Private key operations where the key lives in another token). '''RC4''' - This token should be used for all RC4 operations which are not constrained by an existing key in another token. '''RC2''' - This token should be used for all RC2 operations which are not constrained by an existing key in another token. '''DES''' - This token should be used for all DES, DES2, and DES3 operations which are not constrained by an existing key in another token. '''DH''' - This token should be used for all DH operations (other than Private key operations where the key lives in another token). '''FORTEZZA'''- This token should be used for all KEA operations (other than Private key operations where the key lives in another token), as well as SKIPJACK operations which are not constrained by an existing key in another token. '''RC5''' - This token should be used for all RC5 operations which are not constrained by an existing key in another token. '''SHA1''' - - This token should be used for all basic SHA1 hashing. '''MD5''' - This token should be used for all basic MD5 hashing. '''MD2''' - This token should be used for all basic MD2 hashing. '''SSL''' - This token should be used for SSL key derivation which are not constrained by an existing key in another token. '''TLS''' - This token should be used for TLS key derivation which are not constrained by an existing key in another token. '''AES''' - This token should be used for all AES operations which are not constrained by an existing key in another token. '''RANDOM''' - This token should be used to generate random numbers when the application call 'PK11_GenerateRandom'. '''PublicCerts''' - The certificates on this token can be read without authenticating to this token, and any user certs on this token have a patching public key which is also readable without authenticating. '''rootFlags''' - comma separated of flags describing any root certs that slotIDmay be stored (case-insensitive). Valid flags are: '''hasRootCerts''' '''hasRootTrust''' '''timeout ''' - time in minutes before the current authentication should be rechecked. '''askpwd ''' - case-insensitive flag describing how password prompts should be manages: every r

<pre>library= name="Netscape Internal Crypto Module" parameters="configdir=/u/relyea/.netscape certprefix=secmod=secmod.db" NSS="Flags=internal,pkcs11module TrustOrder=1 CipherOrder=-1 ciphers= slotParams={0x1=[slotFlags='RSA,DSA,DH,RC4,RC2,DES,MD2,MD5,SHA1,SSL,TLS,PublicCerts,Random'] 0x2=[slotFlags='RSA' timeout=50 askpw=only]}"