On 12/17/08, Andreas Jellinghaus <[email protected]> wrote:
> > As we discussed in the mailing list, I don't like the new addition
> > martin added to pkcs11-tool, adding new standalone option
> > --list-token-slots instead of modifier to --list-slots... No blocker,
> > but change in interface of tools should be considered as static.
>
> I have no opinion on this. Whatever code looks cleaner might be
> a nice way to decide this?
Well.. Apparently I am the only one with opinion... so I redraw.
> > And there is the data object issue, which I think is a major security issue
>
> 1.) can someone check all profiles if this affects all cards?
Except of oberthur.profile all profiles has one way or another:
EF data {
ACL = READ=NONE.*;
}
So it affects all the cards, I don't fully understand the oberthur...
> 2.) is this change in flex.profile good enought to fix new cryptoflex cards?
If I understand correctly, this change will make all data objects
private. We do not want this. We want to support public and private
data objects.
<snip>
> in any case, we need to know what our situation exactly is.
> I don't know cryptoflex well, don't know pkcs#15 well,
> have no clue about the other drivers (only minor clue about
> cardos and nothing else), don't know enough about opensc internals.
> so please everyone help in getting a clear description about the
> situation.
My either... :(
I thought I will be able to invest some time to investigate this in
the near future.
But we need someone who knows PKCS#15 good enough to decide.
> then we should
> - try to fix it for new cards
> - try to fix old cards with a tool if it is possible
> - create a patch containing these changes
> - write a security advisory with our analysis of the situations
> and the fixes
Well... is there any active PKCS#15 developer left in OpenSC domain?
> - find people to proofread it and spell check it
This I can do... :)
I have the same issue with asepcos.
> - create a new release
> - create new windows build and sca releases
> - publish the security advisory pointing to the new release and the patch
> - contact distributions, so they can update the binary packages for linux
The above is simple enough... :)
Thanks!
Alon.
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
