smart card token label question

Douglas E. Engert deengert at
Mon May 3 18:08:14 EDT 2010

Will Fiveash wrote:
> I'm trying to get an idea as to whether smartcards are typically
> deployed with a token label that is the same for all deployed smartcards
> or does the token label vary per smartcard?

I assume you are referring to the PKCS#11 CKR_TOKEN_INFO label. A card may
or may not have labels stored on the card. And it may or may not have a card
serial number. So a PKCS#11 implementation may have to try and come up with
a token label and/or a serial number using what ever information is available.

The only card and middle ware I can speak to in the PIV card with the OpenSC.
The PIV card has objects but NIST 800-73 does not define a label of a serial
number for a PIV card. The closest thing to a serial number are fields in the
"CHUID" object on the card that could be used to create a serial number from
the FASC-N or the GUID if present. The OpenSC PIV driver does this for the
serial number.

The token label is worse. OpenSC's pkcs11-tool -L returns a combination
of what the the card driver has as a token label, and the label for the PIN.
It returns "PIV_II (PIV Card Holder PIN)".

Based on observations of trying a PIV card with just a certificate and key
but no other objects on the card, the card would not work with the Windows 7
native driver. Only after a CHUID object was added to the card would it work.
So Microsoft may have taken the same approach of using the CHUID to get a
serial number.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list