On Wed, Oct 28, 2009 at 04:52:28PM -0400, Wyllys Ingersoll wrote: > Will Fiveash wrote: > > On Wed, Oct 28, 2009 at 04:03:07PM -0400, Wyllys Ingersoll wrote: > >> Will Fiveash wrote: > >>> When I run: > >>> pktool list objtype=cert:public > >>> I see: > >>> Enter PIN for Sun Software PKCS#11 softtoken: > >>> Given this is a public object, why am I prompted for my PIN? > >> Because some tokens require login even for access to public objects. > >> The SCA6000 tokens, for example. > > The PKCS#11 v2.20 spec states: > > Further classification defines access requirements. Applications are > > not required to log into the token to view ?public objects?; > > however, to view ?private objects?, a user must be authenticated to > > the token by a PIN or some other token-dependent method (for > > example, a biometric device). > > Why doesn't the softtoken support this? The current implementation > > appears to violate the spec, no? > > > The problem is that when you query the token and check the flags, > the token has no way to know if you want to read the private or > public areas so it cannot have any logic to indicate whether or > not to set the login bitfield in the flags. pktool defaults to the safest > method, which is to prompt always (we ran into trouble > when we did not do this on some devices other than softtoken).
Looking at the spec there is support for different session types including the default of CKS_RO_PUBLIC_SESSION. Why can't the token use this to determine what the app wants to read and whether login is necessary? -- Will Fiveash Sun Microsystems Office x64079/512-401-1079 Austin, TX, 78727 (TZ=CST6CDT), USA Internal Solaris Kerberos/GSS/SASL website: http://kerberos.sfbay.sun.com http://opensolaris.org/os/project/kerberos/
