[kerberos-discuss] smart card token label question

Nicolas Williams Nicolas.Williams at oracle.com
Tue May 4 13:03:17 EDT 2010

On Tue, May 04, 2010 at 11:44:36AM -0500, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> >But the point is taken that token labels are unreliable as an aid to
> >filter slots with tokens present.  Looking for CHUID public objects is
> >likely to be much more useful.
> But the CHUID is specific to a PIV card.

Yes, the U.S. national standard, specifically.  We can't do just that.

> >Does OpenSC pretend that there are multiple slots, with different tokens
> >for each PIN that a token has?
> Yes, thats what I understand. I don't have any first hand knowledge about
> how this works, as I don't card with multiple user PINs.

I can't see any other way in which it could work via a pure PKCS#11 API,
so that must be it.  At least there'd be a meaningful label, if provided
on initialization.  Also, it seems that smartcards do generally support
public objects (unlike, for example, the SCA6000), which is helpful.

The CardPersonalization page on the OpenSC wiki is quite informative.

Thanks a lot Doug,


More information about the krbdev mailing list