Am Mittwoch 28 Januar 2009 08:27:16 schrieb Jeffrey Hutzelman: > > your commend on "no so pin" is strange - "pkcs15+onepin" option is > > exactly the way opensc initializes a card to have a single pin (i.e. no > > sopin). > > I think I was talking about the difference between '-p pkcs15+onepin' and > '--no-so-pin'. It's probably not important.
I didn't even know we had that option, and I have no clue which cards will work with it, and what the results in term of security will be, if it is used. a quick look at the code didn't help (pkcs15-init.c:do_init_app looks at the optoins and no_sopin, but the code is different). > It looks to me like only cryptoflex, cyberflex, and oberthur currently have > this behavior. It's not urgent to me, and in fact I prefer being able to > wipe a card clean without having to know any of the existing PIN's. I just > thought I'd bring up the issue for people to consider, given that the > comments in the profile indicate the intent was always to change it > eventually. could be. I'm no cryptoflex expert and don't know the opensc core code. thus I cannot change anything, and I have no intention to become expert on either subject. once more we face the situation, that opensc is not finished in many ways, but there is no one even knowing the code, let alone working on improving opensc in these matters. > Hrm. Some would argue that the change for that issue should be in its own > release, separate from anything else. In practice, it probably doesn't > matter in this case. last time I published a patch with the security change only, so that debian and friends can backport that patch instead of moving to the new release. maybe I will do that again. Regards, Andreas _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
