On Thu, 2010-09-02 at 21:31 +0300, Martin Paljak wrote: > Hello, > > On Sep 2, 2010, at 9:16 PM, Andre Zepezauer wrote: > > But as an inspiration for the future, this problem can be solved throughout > > exploiting logical channels. > Which problem? How?
1. If only one application authenticates successfully, then the token becomes unlocked and will be accessible without authentication for all the other applications _and_ users too. 2. Application A authenticates successfully. Later application B fails to authenticate. Now application A is unauthenticated too. Not sure if mozilla will ask for a pin again. My assumption is, it won't. 3. Left as an exercise for the interested reader. > However, logical channels may share application-dependent security status and > therefore may have security-related command interdependencies across logical > channels (e.g. password verification). Source iso7816-4 Draft: After a successful open function performed from 1) the basic logical channel (bits 6, 2 and 1 all set to zero in CLA, coding number zero), the MF shall be implicitly selected as the current DF and the security status for the new logical channel should be the same as for the basic logical channel after the answer to reset. The security status of the new logical channel should be separate from that of any other logical channel. 2) a non-basic logical channel (bits 6, 2 and 1 not all set to zero in CLA, coding a number from one to seven), the current DF of the logical channel from which the command was issued shall be selected as the current DF and the security status for the new logical channel should be the same as for the logical channel from which the open function was performed. > Do you have a specific card in mind? Every modern Java card and in particular GlobalPlatform is capable of doing so, if the applet implements javacard.framework.MultiSelectable. > Do you have a patch No. > or a plan on how to apply the concept to OpenSC? Not in detail. But if someone will begin a serious discussion on it, then I will participate. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel