Am Donnerstag, 3. April 2008 21:17:29 schrieb Timothy J Miller: > DoD PKI Registration Authorities use two readers and two cards; one > with personal credentials used to log into the system, the second with > RA credentials to access the CA.
perfectly fine: create key on RA card, download public key from RA card, create CSR, use CA card to sign the cert, install on RA card. as you can see: a serial process. at no time during this both cards are used at once. I think this should be fine with opensc, pcsc, openct etc. but: if you use some card (e.g. CA card for signign something), and at the same time replace some other card, you might get into trouble. smart card software is most likely not bullet proof - replace a card while it is used, and the card could be broken by that. the security design might even mandate it (a newly created file can't be accessed by anyone except, if it is given the rights for that. but if the process is interrupted, the file could be there with noone allowed to change, set rights or delete it). if you have two cards in use at the same time, the libraries scanning of card readers/cards could be troubled if one card is replaced. note: I don't know the internals of opensc well enough to be sure there is a problem or not, but there might be one. insert both cards, use opensc, when done remove one or both and you are fine. the other stuff I'm mentioning are only race conditions that might happen if you do stuff that is clearly not adviseable. Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
