pkinit updates

Jeffrey Altman jaltman at secure-endpoints.com
Tue Dec 12 14:58:28 EST 2006 

The reason that PKCS#11 supports multiple slots to the same reader
is that it may be possible for there to be different tokens with
different security requirements.  It is not possible for a single
slot to have different security policies for different tokens.

If a PKCS#11 module wants to support this, it must do so by implementing
different slots through which different subsets of tokens are made
available.

Jeffrey Altman


Douglas E. Engert wrote:
> 
> Jim Rees wrote:
> 
>> I think the PKCS11 environment variable should still work.  
> 
> Right, I found that. But I would expect the environment variable to
> be droped in favor of the -X parameters.
> 
>  > But you don't
>  > need to specify the slot any more, unless you have more than one token.
> 
> There is not nessesarily 1-1 corespondence between readers and slots.
> PKCS#11 says: "It is possible that multiple slots may share the same reader."
> 
> OpenSC can allocate multiple slots to the same card, if the security
> requirements are different, i.e. you could have a session with slot 0
> using a pin, but an session with slot 1 without a pin. It is not
> clear if OpenSC has gone too far in doing this, but they did it.
> There are OpenSC parameters  num_slots = to assign slots to a card,
> and hide_empty_tokens.
> 
> 
> 
>  > pkcs11-tool -L
> Available slots:
> Slot 0           CCID Compatible
>    token label:   PIV_II (PIV Card Holder pin)
>    token manuf:   piv_II
>    token model:   PKCS #15 SCard
>    token flags:   rng, login required, PIN initialized, token initialized
>    serial num  :  9876543210
> Slot 1           CCID Compatible
>    token label:   PIV_II
>    token manuf:   piv_II
>    token model:   PKCS #15 SCard
>    token flags:   rng, PIN initialized, token initialized
>    serial num  :  9876543210
> Slot 2           (empty)
> Slot 3           (empty)
> Slot 4           (empty)
> Slot 5           (empty)
> Slot 6           (empty)
> Slot 7           (empty)
> 
> 
>> Our current code allows you to specify the slot like this:
>>
>> pkinit -X X509_user_identity=PKCS11:module_name:slotno
>>
>> but I don't know if that's in svn or not.
> 
> No it choked with the :0.
> 
>>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20061212/e8fb5355/attachment.bin

More information about the krbdev mailing list