5.2. TPS Operations

Explicit Operations

An explicit operation is an operation called by a user. Explicit operations include enroll (op.enroll.*), format (op.format.*), and pinReset (op.pinReset.*).

Implicit Operations

An implicit operation is an operation that takes place due to the policy or status of a token at a time when an explicit operation is being processed. Implicit operations include keyGen (op.enroll.userKey.keyGen.*), renewal (op.enroll.userKey.renewal.*), update.applet (op.enroll.userKey.update.applet.*), and key update (op.enroll.userKey.update.symmetricKeys.*).

Some implicit operations are controlled per key type. These include recovery, serverKeygen, and revocation.
The following example of a TPS profile specifies user keys to be generated on the server side: 
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1
op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
Additionally, the following example tells TPS that a token whose keys are compromised should revoke the certification with revocation reason 1 during the state transition: 
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
According to RFC 5280, possible revocation reasons and their codes are defined as follows:

Table 5.1. Revocation Reasons and Codes

Reason Code
unspecified 0
keyCompromise 1
CACompromise 2
affiliationChanged 3
superseded 4
cessationOfOperation 5
certificateHold 6
removeFromCRL 8
privilegeWithdrawn 9
AACompromise 10