[Sent to Martin only by mistake. Apologies.]
On Sun, Aug 15, 2010 at 16:11, Martin Paljak <mar...@paljak.pri.ee> wrote:
>> I think that the checks already in place are all right. I guess that
>> implementation quirks may arise if and when 2048-bit keys are
>> supported, but currently I know of no CNS card with keys longer than
>> 1024 bit, so it's safe for the time being.
>
> That's a good example: iso7816.c should be eventually updated to work with
> extended APDU-s and 2048b keys as well.
I guess that it should also include the proper workarounds for
configurations (card readers, or specific reader+card combinations)
that do not support extended APDUs properly. I should have a CardOS
4.2/4.3 card that could be initialized with 2048-bit keys. Will write
that down as a worthwile project. :)
> Some things to consider
> * javacard driver really should be the last but one driver before default.
> It is as dummy by nature as the default driver.
> * card->name vs driver->name. Currently the card driver name is long and in
> Italian ("Carta Nazionale dei Servizi") while the card name is short and in
> English. Keep in mind that the driver name is hidden from most users and the
> card name pops up with opensc-tool -n and in your case in PKCS#11 token
> labels. You might want to balance between them, as long as OpenSC does not
> have localization support.
> * Also, you use the card name as the PKCS#15 card label. From personal
> experience I'd suggest to use something personal instead of that, so that
> Firefox or thunderbird could differentiate between two cards of the same
> type. For the Estonian ID-card it used to be "ID-kaart" as well, but "MARTIN
> PALJAK (PIN1)" prompt beats "ID-kaart (PIN1)" prompt.
I've taken care of them in
http://www.opensc-project.org/opensc/attachment/ticket/177/itacns-patch5.diff
The only noteworthy new part is at pkcs15-itacns.c:319 and following,
where the cardholder's personal data is read and parsed. I think the
code is defensive enough not to break even with invalid data in the
file.
Bye!
--
Emanuele
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
