Frederic Detienne wrote:
Hi Nils,
Now, I am getting really curious about what document precludes or allows
several similar object per ID.
have a look at the pkcs15 or pkcs11 standard (both are free :)
In fact, I even wonder what it would mean to have several private keys
sharing the same ID.
The primary use of the pkcs15 (or pkcs11) id seems to be the assignment
of a private key to the different cert und public key objects for this
private key (and of course it can make sense to have more than one cert
for a given private key).
You can't retrieve them and figure which one you
prefer... the key is used by the card and all you get is a result
(signature). This makes me doubting that various similar objects could
share an ID.
Would (AuthID | ID) be a unique identifier ?
for a private key ? almost certainly as every private key should
have unique id
I.e. the right object with
the desired ID would be unique for a given AuthID (but there could be
several objects with the same ID and a different AuthID)...
most cards have just one user pin
This way, selecting the right object becomes a matter of logging in
(with an AuthID) and then selecting an object (by ID).
normally the application chooses a certificate which it would like
to use for a certain. The next step would be find the private key
for this certificate, but this should be easy as there should be only
one private key with a specific id (pkcs11 recommends to use the value
of the subjectPublicKeyIdentifier for the id). Whether or not there
several certificates with the same id doesn't matter here ...
I am just guessing here as I do not have access to ISO 7816-[4,5] to
verify and I can't find relevant information in PKCS#15.
http://www.rsasecurity.com/rsalabs/node.asp?id=2124
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
