ü Deprecate secondary authentication
ü Add appendix to use the iD2 multiple slot method as informative [Magnus; included]
ü Add note about write-protect flag changing with login to allow public objects to be read-only without login
ü PIN expiration
ü If PIN expires, CKF_USER_PIN_TO_BE_CHANGED is set, allow login and all functions that require login return CKR_PIN_EXPIRED until C_SetPIN is called. C_Login will never return CKR_PIN_EXPIRED.
ü Allow C_SetPIN to work without login (always changes user PIN)
ü Trusted objects (keys, certs) CKA_TRUSTED; never settable by caller, must be set by initialization; settable by SO during C_CreateObject (open for discussion)?
ü Misc. typo fixes.
ü AES mechanisms, RIJNDAEL, CKM_AES w/modes (variable block size 16, 24, 32; variable key length 128, 192, 256)
ü X9.31 RSA w/related combos
ü Updated references
ü Many misc. typo fixes.
ü X9.31 RSA key pair generation
ü ECC X9.62-3 mechanisms [Francois]
ü X9.42 mechanisms [Francois]
ü Parameter generation and validation. New explicit objects and mechanisms. [Simon]
ü AES mechanism; updated w/o variable block size
ü Updated references
ü Key generation mechanism attribute
ü Renaming ‘key parameters’ to ‘domain parameters’ to be consistent with published mechanism specifications.
ü Many misc. typo fixes
ü TLS mechanisms
ü Modifications to DH, X9.42, and EC key derivation attribute handling
ü X9.42 domain parameter generation
· SHA-256, -384, -512 and related combos
o Deferred: Draft specification not scheduled until ‘Q2 FY01
· RSA PKCS #1 PSS & multi-prime [Burt]
· IPSEC transforms