Darren J Moffat wrote: > Will Fiveash wrote: >> On Thu, Oct 29, 2009 at 02:42:22PM +0000, Darren J Moffat wrote: >>> Wyllys Ingersoll wrote: >>>> The problem I recall is that I think the SCA6000 requires login even >>>> for >>>> accessing public objects and "pktool list" without the logging in >>>> resulted in no objects being found. >>> Hmn, okay at least if I remove CKF_LOGIN_REQUIRED from softtoken >>> that fixes the most common use case. So maybe leave pktool alone >>> then. >> >> It also sounds like the SCA6000 is broken in regards to requiring login >> to access public objects. > > Not necessarily, in fact that is exactly what CKF_LOGIN_REQUIRED means - > you have to login.
No, it means that there are things you can't see/do unless you login. The question is is the cert a public or private object on a specific token. If its private you have to login to even know it is present. Apparently this is common among FIPS 140-2 certified PKCS#11 tokens. With the PIV, NIST-800-72-2 Part 1: The certificates are now listed as "Always Read" in Table A-1 and in Appendix F item 49. There where many complaints that previous versions on 800-73 required the PIN, and whihc meant PIV would not work in many systems (especially Windows CSP) if the certifiacte could not be read without giving the PIN. > > Now if the CA-6000 didn't have CKF_LOGIN_REQUIRED set and you did have > to login to see public objects then I'd say it was buggy. > -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
