Douglas E. Engert wrote:


Nils Larsch wrote:

Douglas E. Engert wrote:

NIST 800-73-1 is going to drop the requirement for pin protected certificates on the PIV cards. This was the single biggest complaint. This change makes this the default, but does allow for continued testing with current cards that do enforce the 800-73 requirement of pin protected certs by adding flags=10 to the card_atr section in the opensc.conf file. Eventially this code could be
removed in some future release.



How difficult would it be to auto detect whether or not the
cert is protected ?   Btw: how many cards with a protected
certificate has been issued ? If none I guess we could ignore
them completely.


Vendors are still developing their cards. So no cards are in production.
Early cards from most vendors did not have pin protected the certs,
as it was unusual would not woirk with Windows CSPs, made it more difficult
to test and the vendors were trying to change NIST's decision to require
the protection. But some vendors did finally include this, as it was required.
Now that NIST  appears to have agreed to drop the requirement, I would
expect any new cards released would not have pin protectd certs.

The review of changed to 800-73 is going on now until the end of the month.
If you would like to comment see:
http://csrc.nist.gov/publications/drafts.html#sp800-73-1
(But the proposed changes link appears to be boken!)

http://csrc.nist.gov/publications/drafts/800-73-1/sp800-73-1v1.pdf
appears to be the proposed changes.


The patch I sent makes the default to not expect the card to require pin
protection, but does allow for a way to test using a card that does.
This is done by setting the flags=10. It is really only for developers
who may have a beta card now and want to test with it.

So I would not like to ignore them completely, at least not for the
next few months.

As for detecting if it has pin protection, it that could be done, but only
by trying to read one of the certs, as it is not optional to have the pin
protection, but rather NIST is changing their mind, and there are no flags
on the card to indicate what the card does. It would only be developers
with beta cards, it might not be worth the effort.

I can look at it more if you want.

shouldn't be necessary, please test a recent snapshot.

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to