RSA Laboratories

PKCS #15: Cryptographic Token Information Format Standard

PKCS #15 establishes a standard that enables users in to use cryptographic tokens to identify themselves to multiple, standards-aware applications, regardless of the application's cryptoki (or other token interface) provider.

PKCS #15 notice

As described in some existing PKCS documents, e.g. PKCS #11, the role of RSA Laboratories in the PKCS standards-making process is four-fold:

  1. Publish carefully written documents describing the PKCS standards.
  2. Solicit opinions and advice from developers and users on useful or necessary changes and extensions.
  3. Publish revised PKCS standards when appropriate.
  4. Provide implementation guides and/or reference implementations.

During the process of PKCS development, RSA Laboratories retains final authority on each document, though input from reviewers is clearly influential. However, RSA Laboratories' goal is to accelerate the development of formal standards, not to compete with such work. Thus, when a PKCS document is accepted as a base document for a formal standard, RSA Laboratories relinquishes its "ownership" of the document, giving way to the open standards development process.

PKCS #15 covers two groups of devices, conventional hardware tokens/IC cards and soft-tokens implemented entirely in software. Since January 2004, a formal IC card standard exists which is based on PKCS #15, namely ISO/IEC 7816-15. RSA Laboratories therefore has decided to not do any further development on the IC card related parts of PKCS #15, but rather refer those interested in this technology to the ISO/IEC version, which will be maintained and evolved by ISO. RSA Laboratories still intends to - whenever a need arises - publish errata to PKCS #15 v1.1, however. In addition, and to cater for the needs of soft-token implementations, RSA Laboratories will continue to maintain and develop the soft-token side of PKCS #15, preferably as a profile of ISO/IEC 7816-15.

For information, the ISO/IEC version of PKCS #15 mainly expands upon structures defined in PKCS #15, though there are some examples of data types which are defined in PKCS #15 but not used in ISO/IEC 7816-15. In almost all practical instances however, will a card with an application issued in conformance with PKCS #15 be accepted by a terminal-side application written in conformance with ISO/IEC 7816-15. Due to the expanded functionality of ISO/IEC 7816-15, the opposite may however not be true. In particular, ISO/IEC 7816-15 also defines a new application identifier (AID), which clearly would not be recognized by a PKCS #15 terminal-side application.

Current Version

Conformance Profile

Previous Versions

Note: An inconsisteny has been detected in the definition of the PKCS15X509CertificateAttributes type in PKCS #15 v1.0. The definition of this ASN.1 type in the ASN.1 module differed from the definition in the body of the text (Section 6.6.1). In this case, the body of the text was correct, the definition in the ASN.1 module was incorrect. This problem is not present in the current version.

Related Documents: