Re: [opensc-devel] User Consent Keys

Tue, 14 Nov 2006 12:29:20 -0800 

Thomas Harning Jr. wrote:

On Thu, 2006-10-26 at 11:05 -0500, Douglas E. Engert wrote:

I would hope you would never try to cache a pin especially with
a card like the one you describe:

   * If the card was issued such that you had to enter the pin
     before every signature, then you are violating the policy
     that the card is trying to enforce and you leave the yourself
     open to misuse of the card.

   * Newer card readers have a PIN pad so that the host/application
     will never see the PIN, and therefore the application can not
     cache it. These readers help avoid keyboard sniffers, and
     applications like yours that try and cache (i.e. misuse the PIN).

   * The user is expecting that every time the card is required
     to do a signature, they will be notified and can make the choice
     of signing or not.

Maybe Thunderbird needs to make some changes too, to abide by
the policies that the card issuer and user are expecting.

Hello, I've taken over the work that Justin Eylander was doing and was
wondering if there's a flag that can be set in OpenSC to have it ask for
the PIN for operations requiring user-consent.


opensc should return a CKR_USER_NOT_LOGGED_IN error if doesn't have
sufficient privileges to do some operation (this of course assume that
the user-consent attribute is enforced by the card os).


In Thunderbird/Firefox, it seems that it will ask you to enter your PIN
once to list certificates and then again when it does the actual
signing. 

which is of course sub-optimal ... why should one enter the pin
to list something public ...


With a JavaScript test I found that behavior... haven't had a
chance to test email... but I assume it will be the same.
There IS an option that allows you to 'Log in' to the card permanently,
and it gets rid of the certificate listing PIN entry.

As it stands now... I have to cache the PIN since there seems to be no
way to initiate a user-consent PIN request properly...

As to how Thunderbird/Firefox might need to change... I see that it
should be honoring any PKCS11 attributes that exist for the user-consent
policy.. but I am not sure if there exists any such attribute.


the CKA_ALWAYS_AUTHENTICATE pkcs11 private key attribute might be
usable here.

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to