On Thu, Oct 29, 2009 at 03:48:13PM +0000, Darren J Moffat wrote:
> Will Fiveash wrote:
> > On Thu, Oct 29, 2009 at 02:42:22PM +0000, Darren J Moffat wrote:
> >> Wyllys Ingersoll wrote:
> >>> The problem I recall is that I think the SCA6000 requires login even for
> >>> accessing public objects and "pktool list" without the logging in
> >>> resulted in no objects being found.
> >> Hmn, okay at least if I remove CKF_LOGIN_REQUIRED from softtoken that
> >> fixes the most common use case. So maybe leave pktool alone then.
> > It also sounds like the SCA6000 is broken in regards to requiring login
> > to access public objects.
>
> Not necessarily, in fact that is exactly what CKF_LOGIN_REQUIRED means - you
> have to login. Apparently this is common among FIPS 140-2 certified PKCS#11
> tokens.
>
> Now if the CA-6000 didn't have CKF_LOGIN_REQUIRED set and you did have to
> login to see public objects then I'd say it was buggy.
Looking at page 42 of pkcs-11v2-20.pdf CKF_LOGIN_REQUIRED is defined as:
True if there are some cryptographic functions that a user must be
logged in to perform.
So if that flag is set for the token the user must login even to access
a public object to view it's attributes? That doesn't seem right
assuming access != cryptographic function.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
