Tim,
Thank you for updating the proposal.
My thoughts regarding the questions you have raised in the Chair allocation request:
- Return code CKR_USERNAME_INVALID or CKR_USERNAME_UNKNWON? It’s correct that CKR_USERNAME_INVALID better matches existing return codes. But it sounds a bit like “username is invalid
because it contains invalid characters”. In my opinion CKR_USERNAME_UNKNOWN better matches the meaning of this return code. Nevertheless, both are ok for me. We can have a (short) discussion in our next TC meeting and then decide.
- New token flag CKF_USERNAME or CKF_USERNAME_REQUIRED? In case the meaning of the new token flag is CKF_USERNAME_REQUIRED, does that mean that the current functions C_InitToken, C_InitPIN,
C_SetPIN, C_Login and C_LoginUser are not supported anymore by the token, and the token returns CKR_FUNCTION_NOT_SUPPORTED when these functions are called? If that’s the case, then behavior is the same as when trying to use new “username” functions. As a consequence,
should we then either have no new token flag at all, or two new token flags CKF_USERNAME_SUPPORTED and CKF_USERNAME_REQUIRED? To be discussed …
And a few more questions and comments that may need discussion:
- Should we have a new function C_LogoutUsername as well? Especially when implementing quorum authentication to an HSM using the C_LoginUsername functions, C_LogoutUsername may make
sense. It is not required though: calling C_Logout will logout all users, and then one can start with new C_LoginUsername again. It’ll be great to hear the opinion of other vendors.
- Section C_InitTokenUsername, 2nd sentence: should we make (more) clear that the InitToken function applies to the SO by stating “pUsername points to the user name
of the SO, …”?
- I noticed that examples in your proposal use (… strlen(username) … sizeof(pin)-1…) , others use (… strlen(username) … strlen(pin)-1…). Comparing with PKCS#11 v3.1 specification, I
found that only the example in C_InitToken uses strlen(), all other examples use sizeof(). I suggest to consistently use sizeof() in all examples, and update the example in C_InitToken to use sizeof() as well.
Best regards,
Dieter
From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>
On Behalf Of Tim Hudson
Sent: Wednesday, April 12, 2023 10:16 PM
To: pkcs11@lists.oasis-open.org
Subject: [pkcs11] Groups - C_SetPINUser-C_InitPINUser-v2a.pdf uploaded
Submitter's message
Update version incorporating requested changes.
-- Tim Hudson
Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach, Martin Stamm, Hacan Tiwemark
This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.
|