MIME-Version: 1.0
In-Reply-To: <rt-3.8.6-2438-1412785761-1794.37410-0-0@isc.org>
X-Mailer: MIME-tools 5.428 (Entity 5.428)
Content-Disposition: inline
References: <RT-Ticket-37410@isc.org> <543560E8.5070902@redhat.com>
 <rt-3.8.6-2430-1412785523-670.37410-4-0@isc.org>
 <20141008162921.GA94471@isc.org>
 <rt-3.8.6-2438-1412785761-1794.37410-0-0@isc.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.6-2416-1412786705-527.37410-0-0@isc.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
RT-Send-CC:
Content-Length: 502

On Wed Oct 08 16:29:21 2014, each@isc.org wrote:
> > => 1023 octets are a very large value for a PIN. BTW
> > with an enforced low limit of retries a short (4 digits) value
> > is common, i.e.:
> 
> Seems reasonable, since HSM PINs are always 1234 anyway. :)

=> the reason is the PIN must be available somewhere in clear
(usually in a file) to make the HSM operable by applications
as bind9 (this doesn't mean PINs are useless, only they are
for other things, and security is from a set of means...).