PKCS#11
|
| Cryptographic Token Interface Standard |
PKCS#11 |
Cryptoki does not specify a mechanism for secondary authentication PIN collection. The only requirement is that the operation of the collection mechanism is transparent to the client.
Ideally, secondary authentication PINs will be gathered using a protected path device, but that can not always be the case. A Cryptoki implementation may utilize platform specific services to gather PIN values, including GUI dialog boxes. While this is different than the typical avoidance of non-portable implementation requirements in the design of Cryptoki, it allows secondary authentication to be utilized by version 2.01 aware applications without changes. If an application requires PIN values to be collected from a protected path, it should insure that the CKF_PROTECTED_AUTHENTICATION_PATH flag is set in the CK_TOKEN_INFO structure.