For a security product, I don't think it is wise to have default of none secure behavior, especially such that allows everyone to use the private objects once authenticated.
On Wed, May 19, 2010 at 11:17 AM, <webmas...@opensc-project.org> wrote: > > Revision: 4359 > Author: viktor.tarasov > Date: 2010-05-19 08:17:53 +0000 (Wed, 19 May 2010) > > Log Message: > ----------- > pkcs11: by default do not lock login > > Modified Paths: > -------------- > trunk/etc/opensc.conf.in > trunk/src/pkcs11/misc.c > > Modified: trunk/etc/opensc.conf.in > =================================================================== > --- trunk/etc/opensc.conf.in 2010-05-18 14:39:53 UTC (rev 4358) > +++ trunk/etc/opensc.conf.in 2010-05-19 08:17:53 UTC (rev 4359) > @@ -341,30 +341,32 @@ > # Default: true > # hide_empty_tokens = false; > > - # By default, the OpenSC PKCS#11 module will lock your card > - # once you authenticate to the card via C_Login. > - # This is to prevent other users or other applications > + # By default, the OpenSC PKCS#11 module will not lock your > card > + # once you authenticate to the card via C_Login. > + # > + # Thus the other users or other applications is not prevented > # from connecting to the card and perform crypto operations > # (which may be possible because you have already authenticated > - # with the card). Thus this setting is very secure. > + # with the card). This setting is not very secure. > # > - # This behavior is a known violation of PKCS#11 specification, > - # and is forced due to limitation of the OpenSC framework. > + # Also, if your card is not locked, you can enconter problems > + # due to limitation of the OpenSC framework, that still is not > + # thoroughly tested in the multi threads environment. > # > - # However now once one application has started using your > - # card with C_Login, no other application can use it, until > - # the first is done and calls C_Logout or C_Finalize. > - # In the case of many PKCS#11 application this does not happen > - # until you exit the application. > + # Your settings will be more secure if you choose to lock your > + # card. Nevertheless this behavior is a known violation of > PKCS#11 > + # specification. Now once one application has started using > your > + # card with C_Login, no other application can use it, until > + # the first is done and calls C_Logout or C_Finalize. In the > case > + # of many PKCS#11 application this does not happen until you > exit > + # the application. > + # Thus it is impossible to use several smart card aware > applications > + # at the same time, e.g. you cannot run both Firefox and > Thunderbird at > + # the same time, if both are configured to use your smart > card. > # > - # Thus it is impossible to use several smart card aware > - # applications at the same time, e.g. you cannot run both > - # Firefox and Thunderbird at the same time, if both are > - # configured to use your smart card. > - # > - # Default: true > - # lock_login = false; > - # > + # Default: false > + # lock_login = true; > + > # Set this value to true if you want to allow off-card > # keypair generation (in software on your pc) > # > > Modified: trunk/src/pkcs11/misc.c > =================================================================== > --- trunk/src/pkcs11/misc.c 2010-05-18 14:39:53 UTC (rev 4358) > +++ trunk/src/pkcs11/misc.c 2010-05-19 08:17:53 UTC (rev 4359) > @@ -289,7 +289,7 @@ > conf->max_virtual_slots = 16; > conf->slots_per_card = 4; > conf->hide_empty_tokens = 1; > - conf->lock_login = 1; > + conf->lock_login = 0; > conf->soft_keygen_allowed = 0; > conf->pin_unblock_style = SC_PKCS11_PIN_UNBLOCK_NOT_ALLOWED; > conf->create_puk_slot = 0; > > > _______________________________________________ > opensc-commits mailing list > opensc-comm...@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-commits _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
