On Wed Oct 08 16:06:09 2014, pspacek@redhat.com wrote:
> It seems that all versions of BIND with native PKCS#11 support are
> limited to
> 32 bytes of PIN length and didn't actually check the PIN length which
> can later cause login failures.

=> yes, the PIN length should be limited to something
reasonable and 32 octets seemed the right value.
In fact the PIN maximum length is a property of the HSM
so I'll dig in the new PKCS#11 v2.40 specs I copied from OASIS
some hours ago to see if there is useful about it in them...

> First patch adds check for PIN length to prevent too long PINs from
> causing login failures later.

=> IMHO it is a good idea.

> Second patch extends maximal PIN length to 1023 bytes so it should be
> enough for everyone including me :-)

=> 1023 octets are a very large value for a PIN. BTW
with an enforced low limit of retries a short (4 digits) value
is common, i.e.:
 - a PIN is not a password
 - no limit at all on retries is a *bad* idea
  (explain this to Apple with its cloud :-).