OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: C_SetPIN with multiple PINs; authenticated CKO_DATA handling

Hi Wouter


Just saw this â will work with TC on larger response to your questions, but as for the drafts of version 3.0, they can be found in the Technical Committeeâs document repository:




Find the latest working drafts there, along with changebar documents.




From: pkcs11-comment@lists.oasis-open.org <pkcs11-comment@lists.oasis-open.org> On Behalf Of Wouter Verhelst
Sent: Wednesday, April 10, 2019 6:14 AM
To: pkcs11-comment@lists.oasis-open.org
Subject: [pkcs11-comment] C_SetPIN with multiple PINs; authenticated CKO_DATA handling




PKCS#11 v2.30 introduces a new CKU_CONTEXT_SPECIFIC user, which is useful for tokens that have multiple PIN codes; a user of the PKCS#11 module can do C_SignInit followed by C_Login with user type CKU_CONTEXT_SPECIFIC so as to allow the PKCS#11 module to know which PIN code is being requested.


This works well for signature operations, but it does not define how a user should select which PIN to change with C_SetPIN. A method of C_Login with CKU_CONTEXT_SPECIFIC followed by a C_SetPIN would seem to be the obvious answer, except that this would result in having to send the PIN code to the PKCS#11 module twice; or, in the case of a token with CKF_PROTECTED_AUTHENTICATION_PATH being set, in the user being asked the same (old) PIN code twice. This is not an ideal situation.


The CKU_CONTEXT_SPECIFIC method could also be used to authenticate to a token that requires a PIN code in order to be able to access sensitive data through CKO_DATA object searches. However, in order to be able to do that properly, either C_FindObjectsInit or C_FindObjects (or, preferably, both) should be able to return CKR_USER_NOT_LOGGED_IN. In version 2.40 of the standard, this is not allowed.


I have been looking for a draft version of PKCS#11 v3.0, but have only been able to find the github repository, which contains a whole lot of new identifiers but no actual standard text.


Is the PKCS#11 committee aware of these issues? If so, are there any plans to remedy them?




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]