Hi, In my experience not all libraries require a password or PIN at the self check station. One of the reasons can be that the self check used doesn't have a full keyboard but only a number pad and we can't limit passwords in Koha to be only numeric. So keeping the option to work without passwords would be good.
> On Thu, Jul 31, 2014 at 9:21 AM, Colin Campbell > <colin.campb...@ptfs-europe.com> wrote: >> Many of the early sip devices considered the fact a user had wanded a >> barcode, security enough. I recall machines which sent blank passwords >> meaning 'I dont care about passwords and if they're valid'. The >> implication of the standard is that the client end will do the right >> thing if I flag up the password was invalid. > It wouldn't surprise me if this were the case back then, but > yesterday's trusting serial line protocol is today's remote exposure > of sensitive patron information breach. >> NB that responses like patron status return both whether the patron is >> valid and whether the password is valid which suggests that the two are >> independent and it may want info back irrespective of password validity. >> Its also not impossible that a client application may want patron data >> and issue an info request without that patron being present (whether >> such an app should be tolerated is another thing). So I think we should >> certainly tailor message resonses sensibly but policy is the >> responsibility of the client device. (maybe we should look a bit closer >> at them) > > I agree that it will be necessary to tailor responses per client, but > I do think that the default should be to limit what gets disclosed if > an invalid patron password is presented, as information disclosure > policies is necessarily the responsibility of the SIP2 server. I agree that we shouldn't send patron information if a wrong password was provided. Maybe it could be a configuration switch that defines if passwords are expected and react accordingly? Regards, Katrin _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
