On Wed, 17 Dec 2014, Nico Williams wrote:
hi all, the draft is in the middle of the last call with
comments to be sent till Dec 29. There are a few nits to be fixed but
we also got two independent inquiries about adding slot attributes.
One is internal to Solaris, another is from an engineer who would like
to replace some pam_pkcs11 module config attributes with one PKCS#11
URI. One of the attributes there is "slot_description" and apparently
it's useful and being used there.
I think that having slot attributes is useful.
obvious choice is this:
pk11-slot-desc = "slot-description" "=" *pk11-pchar
pk11-slot-manuf = "slot-manufacturer" "=" *pk11-pchar
pk11-slot-id = "slot-id" "=" 1*DIGIT
I don't mind adding "slot-description" and "slot-manufacturer" if someone
finds them useful but I can't recommend adding "slot-id". I personally
The cases I've seen where this is useful are ones where the PKCS#11
provider library provides unified access to multiple types of
slots/tokens, and the application is trying to obtain user credentials
from a user's removable token (smartcard).
I agree that if we add slot description and manufacturer
attributes, we should add slot ID as well.
<...>
I think the descriptions of these slot-specific attributes should be
very explicit about their general unreliability, and they should explain
when they can be useful.
agreed.
J.
--
Jan Pechanec <jan(_dot_)pechanec(_at_)oracle(_dot_)com>