Hi, In my experience not all libraries require a password or PIN at the self check station. One of the reasons can be that the self check used doesn't have a full keyboard but only a number pad and we can't limit passwords in Koha to be only numeric. So keeping the option to work without passwords would be good.
On Thu, Jul 31, 2014 at 9:21 AM, Colin Campbell <colin.campbell@ptfs-europe.com> wrote:
Many of the early sip devices considered the fact a user had wanded a barcode, security enough. I recall machines which sent blank passwords meaning 'I dont care about passwords and if they're valid'. The implication of the standard is that the client end will do the right thing if I flag up the password was invalid.
It wouldn't surprise me if this were the case back then, but yesterday's trusting serial line protocol is today's remote exposure of sensitive patron information breach.
NB that responses like patron status return both whether the patron is valid and whether the password is valid which suggests that the two are independent and it may want info back irrespective of password validity. Its also not impossible that a client application may want patron data and issue an info request without that patron being present (whether such an app should be tolerated is another thing). So I think we should certainly tailor message resonses sensibly but policy is the responsibility of the client device. (maybe we should look a bit closer at them)
I agree that it will be necessary to tailor responses per client, but I do think that the default should be to limit what gets disclosed if an invalid patron password is presented, as information disclosure policies is necessarily the responsibility of the SIP2 server.
I agree that we shouldn't send patron information if a wrong password was provided. Maybe it could be a configuration switch that defines if passwords are expected and react accordingly? Regards, Katrin