On Thu, 2006-10-26 at 11:05 -0500, Douglas E. Engert wrote: > > I would hope you would never try to cache a pin especially with > a card like the one you describe: > > * If the card was issued such that you had to enter the pin > before every signature, then you are violating the policy > that the card is trying to enforce and you leave the yourself > open to misuse of the card. > > * Newer card readers have a PIN pad so that the host/application > will never see the PIN, and therefore the application can not > cache it. These readers help avoid keyboard sniffers, and > applications like yours that try and cache (i.e. misuse the PIN). > > * The user is expecting that every time the card is required > to do a signature, they will be notified and can make the choice > of signing or not. > > Maybe Thunderbird needs to make some changes too, to abide by > the policies that the card issuer and user are expecting. Hello, I've taken over the work that Justin Eylander was doing and was wondering if there's a flag that can be set in OpenSC to have it ask for the PIN for operations requiring user-consent. In Thunderbird/Firefox, it seems that it will ask you to enter your PIN once to list certificates and then again when it does the actual signing. With a JavaScript test I found that behavior... haven't had a chance to test email... but I assume it will be the same. There IS an option that allows you to 'Log in' to the card permanently, and it gets rid of the certificate listing PIN entry.
As it stands now... I have to cache the PIN since there seems to be no way to initiate a user-consent PIN request properly... As to how Thunderbird/Firefox might need to change... I see that it should be honoring any PKCS11 attributes that exist for the user-consent policy.. but I am not sure if there exists any such attribute. -- Thomas Harning Jr. Authentication Engineer @ Identity Alliance _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
