Yes, we discussed this many times. We should work in order to make opensc stateless, and allow concurrent application usage. Until we do so, the PKCS#11 provider is *NOT* compliant with the specification.
Alon. On 12/27/08, Andreas Jellinghaus <a...@dungeon.inka.de> wrote: > oops, lock_login is off by default? > and my standard test procedure doesn't event work > in that situation at all (init, create pin, create key, > create self-signed cert, store cert, run test procedures ... > all with egate+cryptoflex 32k). > > not sure how many times we discussed it already, and > not even sure what possition I had last time. > > but right now I think: if lock_login=true results in both a > more secure setup and normal test procedures will > work as well, then it is the right thing to do. > > note: the errors I get are these with pkcs11-tool --test --login: > > [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Security status not satisfied > [opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card returned > error: Security status not satisfied > [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security > status > not satisfied > [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: > sc_compute_signature() failed: Security status not satisfied > > and I get the same with openssl and engine_pkcs11. everything still works, > despite these errors. still it confuses the user to generate such output, > thus > I think lock_login=true is better (and more secure). > > yes, people will hate me, because everyone using firefox and thunderbird at > the same time, with smart cards enabled in both needs to fix his opensc.conf > to make it work. we can handle that in a FAQ entry. > > also I noticed, the code in pkcs11/misc.c has the defaults twice - once if > there is a "pkcs11" block in the config file, and once for the case if that > is not the situation. a bit confusing, I tried to clean this up. > > I fixed the security issue (at least for cryptoflex), will commit the changes > later. > > Regards, Andreas > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
