[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Groups - C_SetPINUser-C_InitPINUser-v2a.pdf uploaded
Tim,
Â
Thank you for updating the proposal.
Â
My thoughts regarding the questions you have raised in the Chair allocation request:
- Return code CKR_USERNAME_INVALID or CKR_USERNAME_UNKNWON? Itâs correct that CKR_USERNAME_INVALID better matches existing return codes. But it sounds a bit like âusername is invalid because it contains invalid charactersâ. In my opinion CKR_USERNAME_UNKNOWN better matches the meaning of this return code. Nevertheless, both are ok for me. We can have a (short) discussion in our next TC meeting and then decide.
- New token flag CKF_USERNAME or CKF_USERNAME_REQUIRED? In case the meaning of the new token flag is CKF_USERNAME_REQUIRED, does that mean that the current functions C_InitToken, C_InitPIN, C_SetPIN, C_Login and C_LoginUser are not supported anymore by the token, and the token returns CKR_FUNCTION_NOT_SUPPORTED when these functions are called? If thatâs the case, then behavior is the same as when trying to use new âusernameâ functions. As a consequence, should we then either have no new token flag at all, or two new token flags CKF_USERNAME_SUPPORTED and CKF_USERNAME_REQUIRED? To be discussed â
Â
And a few more questions and comments that may need discussion:
- Should we have a new function C_LogoutUsername as well? Especially when implementing quorum authentication to an HSM using the C_LoginUsername functions, C_LogoutUsername may make sense. It is not required though: calling C_Logout will logout all users, and then one can start with new C_LoginUsername again. Itâll be great to hear the opinion of other vendors.
- Section C_InitTokenUsername, 2nd sentence: should we make (more) clear that the InitToken function applies to the SO by stating âpUsername points to the user name of the SO, ââ?
- I noticed that examples in your proposal use (â strlen(username) â sizeof(pin)-1â) , others use (â strlen(username) â strlen(pin)-1â). Comparing with PKCS#11 v3.1 specification, I found that only the example in C_InitToken uses strlen(), all other examples use sizeof(). I suggest to consistently use sizeof() in all examples, and update the example in C_InitToken to use sizeof() as well.
Â
Best regards,
Dieter
Â
From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Tim Hudson
Sent: Wednesday, April 12, 2023 10:16 PM
To: pkcs11@lists.oasis-open.org
Subject: [pkcs11] Groups - C_SetPINUser-C_InitPINUser-v2a.pdf uploadedÂ
Submitter's message
Update version incorporating requested changes.
-- Tim Hudson
Document Name: C_SetPINUser-C_InitPINUser-v2a.pdf
Description
Proposal for C_SetPINUser (and C_InitPINUser)
Download Latest Revision
Public Download Link
Submitter: Tim Hudson
Group: OASIS PKCS 11 TC
Folder: Working Drafts
Date submitted: 2023-04-12 13:15:51
Revision: 1Â
Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen â Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach, Martin Stamm, Hacan Tiwemark
This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]