[15754] in Kerberos_V5_Development
Re: [kerberos-discuss] smart card token label question
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue May 4 13:03:47 2010
Date: Tue, 4 May 2010 12:03:17 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <20100504170316.GL9429@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4BE04EF4.3090708@anl.gov>
Cc: kerberos-discuss <kerberos-discuss@opensolaris.org>,
MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, May 04, 2010 at 11:44:36AM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> >But the point is taken that token labels are unreliable as an aid to
> >filter slots with tokens present. Looking for CHUID public objects is
> >likely to be much more useful.
>
> But the CHUID is specific to a PIV card.
Yes, the U.S. national standard, specifically. We can't do just that.
> >Does OpenSC pretend that there are multiple slots, with different tokens
> >for each PIN that a token has?
>
> Yes, thats what I understand. I don't have any first hand knowledge about
> how this works, as I don't card with multiple user PINs.
I can't see any other way in which it could work via a pure PKCS#11 API,
so that must be it. At least there'd be a meaningful label, if provided
on initialization. Also, it seems that smartcards do generally support
public objects (unlike, for example, the SCA6000), which is helpful.
The CardPersonalization page on the OpenSC wiki is quite informative.
Thanks a lot Doug,
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev