[Sent to Martin only by mistake. Apologies.] On Sun, Aug 15, 2010 at 16:11, Martin Paljak <mar...@paljak.pri.ee> wrote:
>> I think that the checks already in place are all right. I guess that >> implementation quirks may arise if and when 2048-bit keys are >> supported, but currently I know of no CNS card with keys longer than >> 1024 bit, so it's safe for the time being. > > That's a good example: iso7816.c should be eventually updated to work with > extended APDU-s and 2048b keys as well. I guess that it should also include the proper workarounds for configurations (card readers, or specific reader+card combinations) that do not support extended APDUs properly. I should have a CardOS 4.2/4.3 card that could be initialized with 2048-bit keys. Will write that down as a worthwile project. :) > Some things to consider > * javacard driver really should be the last but one driver before default. > It is as dummy by nature as the default driver. > * card->name vs driver->name. Currently the card driver name is long and in > Italian ("Carta Nazionale dei Servizi") while the card name is short and in > English. Keep in mind that the driver name is hidden from most users and the > card name pops up with opensc-tool -n and in your case in PKCS#11 token > labels. You might want to balance between them, as long as OpenSC does not > have localization support. > * Also, you use the card name as the PKCS#15 card label. From personal > experience I'd suggest to use something personal instead of that, so that > Firefox or thunderbird could differentiate between two cards of the same > type. For the Estonian ID-card it used to be "ID-kaart" as well, but "MARTIN > PALJAK (PIN1)" prompt beats "ID-kaart (PIN1)" prompt. I've taken care of them in http://www.opensc-project.org/opensc/attachment/ticket/177/itacns-patch5.diff The only noteworthy new part is at pkcs15-itacns.c:319 and following, where the cardholder's personal data is read and parsed. I think the code is defensive enough not to break even with invalid data in the file. Bye! -- Emanuele _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel