On Jan 28, 2010, at 12:50 , Viktor TARASOV wrote: > Hi Martin, > > Martin Paljak wrote: >> On Jan 28, 2010, at 10:28 , [email protected] wrote: >> >>> Revision: 3952 >>> Author: viktor.tarasov >>> Date: 2010-01-28 08:28:25 +0000 (Thu, 28 Jan 2010) >>> >>> Log Message: >>> ----------- >>> pkcs11: do not create slot for PUK >>> >> >> This provided an easy way to change the PUK code via a GUI - Firefox. Are >> there other waysd a PUK code could be exposed via PKCS#11? >> > > > Fairly, I've done it in a reason of Firefox -- when looking for the > keys, it tries to login into the every available slot . For Firefox to work as expected (probably) you need to have the module loaded with "Friendly certs" flag set, this directs NSS to treat tokens as their certificates don't require a login before.
Unfortunately, there is no GUI for this and the module needs to be loaded with javascript. The javascript interface used to be available for public use until v3.5 which disabled it for "security reasons". See https://bugzilla.mozilla.org/show_bug.cgi?id=511652 for more information. > Do we really need to be able to change PUK through PKCS#11? > If so, I will roll it back. The onepin pkcs#11 module was also created to please Firefox (the friendly certs trick, the nonrepudiation keys issue among others) It would be nice if there was a feature-complete PKCS#11 module that exposes as much as possible as flexibly as possible and a "dumb module" that would please Firefox/NSS. For Estonian eID, the "onepin" could be translated as "module with no non-repudiation keys". What other requirements this module should have? > Or as usual, > I can replace decision to the pkcs11 section of opensc.conf. A sensible default is probably the best idea. -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
