MIME-Version: 1.0 In-Reply-To: <543560E8.5070902@redhat.com> X-Mailer: MIME-tools 5.428 (Entity 5.428) Content-Disposition: inline References: <543560E8.5070902@redhat.com> Content-Type: text/plain; charset="UTF-8" Message-ID: Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 RT-Send-CC: Content-Length: 1022 On Wed Oct 08 16:06:09 2014, pspacek@redhat.com wrote: > It seems that all versions of BIND with native PKCS#11 support are > limited to > 32 bytes of PIN length and didn't actually check the PIN length which > can later cause login failures. => yes, the PIN length should be limited to something reasonable and 32 octets seemed the right value. In fact the PIN maximum length is a property of the HSM so I'll dig in the new PKCS#11 v2.40 specs I copied from OASIS some hours ago to see if there is useful about it in them... > First patch adds check for PIN length to prevent too long PINs from > causing login failures later. => IMHO it is a good idea. > Second patch extends maximal PIN length to 1023 bytes so it should be > enough for everyone including me :-) => 1023 octets are a very large value for a PIN. BTW with an enforced low limit of retries a short (4 digits) value is common, i.e.: - a PIN is not a password - no limit at all on retries is a *bad* idea (explain this to Apple with its cloud :-).