6.2. TPS Operations
Explicit Operations
An explicit operation is an operation called by a user. Explicit operations include enroll (op.enroll.*), format (op.format.*), and pinReset (op.pinReset.*).
Implicit Operations
An implicit operation is an operation that takes place due to the policy or status of a token at a time when an explicit operation is being processed. Implicit operations include keyGen (op.enroll.userKey.keyGen.*), renewal (op.enroll.userKey.renewal.*), update.applet (op.enroll.userKey.update.applet.*), and key update (op.enroll.userKey.update.symmetricKeys.*).
Some implicit operations are controlled per key type. These include
recovery, serverKeygen, and revocation.
The following example of a TPS profile specifies user keys to be generated on the server side:
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1 op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
Additionally, the following example tells TPS that a token whose keys are compromised should revoke the certification with revocation reason
1 during the state transition:
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
According to RFC 5280, possible revocation reasons and their codes are defined as follows:
Table 6.1. Revocation Reasons and Codes
| Reason | Code |
|---|---|
| unspecified | 0 |
| keyCompromise | 1 |
| CACompromise | 2 |
| affiliationChanged | 3 |
| superseded | 4 |
| cessationOfOperation | 5 |
| certificateHold | 6 |
| removeFromCRL | 8 |
| privilegeWithdrawn | 9 |
| AACompromise | 10 |