Slots, tokens, objects, pin. et al

Hello. Recently bought a 4i and am slowly getting it to do what I hoped it would. I thought it was a really clever idea to use a raspberry pi in this way.

I am hampered by a lack of python (or C) knowledge. My main interest is in pkcs11 interfacing so I can issue certificates using the zymkey to store the secrets. Some of these questions might be more about HSMs in general than Zymkey in particular but I hope some clarity is available.

(a) what is the relationship between slots tokens and objects? Documents refer to 3 slots. But each time I use --init-token I get a ‘virtual’ slot (One with a 10 decimal digit slot number) and then another slot number (eg slot 1). I can repeat this endlessly. I got up to slot 9 before giving up, and could use --init-token on that. What does 3 slots mean?
At present I think that a slot is populated with a single token and that token can store one or more objects, being keys? Correspondingly a token is controlled by the Security Officer PIN while the objects are each controlled by the User PIN. Yes?

(b) Documents mention an ECDSA key pair (and two AES keys). Yet I used the pkcs11-tool command (from the opensc package) to create an RSA key pair. And I see them as objects in the token. Are these really stored in the zymkey?

© When I added a user to my pi I found that as that user I couldn’t do much as that user. I tracked this down to the user not being in the zk_pkcs11 group that has rw access to the /var/lib/zymbit/zk_pkcs11/tokens directory. Once added to that group all was well. Did the install not quite work, or have I missed a bit of documentation that says zymkey users must be in that group?

(d) Apparently a feature for HSM editing is a feature called ‘key counting’ - records number of times key is accessed. Does the zymkey do this?

Many thanks.

r.