smart card token label question
Douglas E. Engert
deengert at anl.gov
Mon May 3 18:08:14 EDT 2010
Will Fiveash wrote:
> I'm trying to get an idea as to whether smartcards are typically
> deployed with a token label that is the same for all deployed smartcards
> or does the token label vary per smartcard?
I assume you are referring to the PKCS#11 CKR_TOKEN_INFO label. A card may
or may not have labels stored on the card. And it may or may not have a card
serial number. So a PKCS#11 implementation may have to try and come up with
a token label and/or a serial number using what ever information is available.
The only card and middle ware I can speak to in the PIV card with the OpenSC.
The PIV card has objects but NIST 800-73 does not define a label of a serial
number for a PIV card. The closest thing to a serial number are fields in the
"CHUID" object on the card that could be used to create a serial number from
the FASC-N or the GUID if present. The OpenSC PIV driver does this for the
serial number.
The token label is worse. OpenSC's pkcs11-tool -L returns a combination
of what the the card driver has as a token label, and the label for the PIN.
It returns "PIV_II (PIV Card Holder PIN)".
Based on observations of trying a PIV card with just a certificate and key
but no other objects on the card, the card would not work with the Windows 7
native driver. Only after a CHUID object was added to the card would it work.
So Microsoft may have taken the same approach of using the CHUID to get a
serial number.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list