[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: C_SetPIN with multiple PINs; authenticated CKO_DATA handling
|
Hi,
PKCS#11 v2.30 introduces a new CKU_CONTEXT_SPECIFIC user, which is useful for tokens that have multiple PIN codes; a user of the PKCS#11 module can do C_SignInit followed by C_Login with user type CKU_CONTEXT_SPECIFIC so as to allow the PKCS#11 module
to know which PIN code is being requested.
This works well for signature operations, but it does not define how a user should select which PIN to change with C_SetPIN. A method of C_Login with CKU_CONTEXT_SPECIFIC followed by a C_SetPIN would seem to be the obvious answer, except that this would
result in having to send the PIN code to the PKCS#11 module twice; or, in the case of a token with CKF_PROTECTED_AUTHENTICATION_PATH being set, in the user being asked the same (old) PIN code twice. This is not an ideal situation.
The CKU_CONTEXT_SPECIFIC method could also be used to authenticate to a token that requires a PIN code in order to be able to access sensitive data through CKO_DATA object searches. However, in order to be able to do that properly, either C_FindObjectsInit
or C_FindObjects (or, preferably, both) should be able to return CKR_USER_NOT_LOGGED_IN. In version 2.40 of the standard, this is not allowed.
I have been looking for a draft version of PKCS#11 v3.0, but have only been able to find the github repository, which contains a whole lot of new identifiers but no actual standard text.
Is the PKCS#11 committee aware of these issues? If so, are there any plans to remedy them?
Thanks,
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]