> I'm not opposing to that however I do not see a reason to artificially
> limit PIN length on *client* side. 

=> laziness... (i.e., it is more complex to manage
a dynamically sized piece of memory :-).

> In this particular case I'm using SoftHSM so there is no secure way
> how to
> enforce limit on retries. That is the reason why I wanted to use very
> long PIN.

=> a long PIN won't save you, in particular with SoftHSM
which doesn't really protect it (BTW mainly because it can't
in an easy way. I know how to reset the PIN in the case I used
something which is not 1234 and I'd like to keep objects, and
I did it more than once :-).

> (And yes, I know that SoftHSM is really cheap HSM :-))

=> I added a large amount of code in SoftHSMv2 so now
I am in its developer list! But if SoftHSM is a  very good tool
to debug/practice/etc PKCS#11 code it was *not* designed
for strong security at all.