[15754] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: [kerberos-discuss] smart card token label question

daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue May 4 13:03:47 2010

Date: Tue, 4 May 2010 12:03:17 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <20100504170316.GL9429@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4BE04EF4.3090708@anl.gov>
Cc: kerberos-discuss <kerberos-discuss@opensolaris.org>,
   MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Tue, May 04, 2010 at 11:44:36AM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> >But the point is taken that token labels are unreliable as an aid to
> >filter slots with tokens present.  Looking for CHUID public objects is
> >likely to be much more useful.
> 
> But the CHUID is specific to a PIV card.

Yes, the U.S. national standard, specifically.  We can't do just that.

> >Does OpenSC pretend that there are multiple slots, with different tokens
> >for each PIN that a token has?
> 
> Yes, thats what I understand. I don't have any first hand knowledge about
> how this works, as I don't card with multiple user PINs.

I can't see any other way in which it could work via a pure PKCS#11 API,
so that must be it.  At least there'd be a meaningful label, if provided
on initialization.  Also, it seems that smartcards do generally support
public objects (unlike, for example, the SCA6000), which is helpful.

The CardPersonalization page on the OpenSC wiki is quite informative.

Thanks a lot Doug,

Nico
-- 
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post