On 14.01.2011 09:57, Aventra wrote: > Hi, > >> From: >> opensc-devel-boun...@lists.opensc-project.org[mailto:opensc-devel-boun...@lists.opensc-project.org] >> On Behalf Of Viktor TARASOV >> On 13.01.2011 18:23, Aventra wrote: >>>> From: >>>> opensc-devel-boun...@lists.opensc-project.org[mailto:opensc-devel-boun...@lists.opensc-project.org] >>>> On Behalf Of Viktor TARASOV >>>> Do you use the myeid.profile that is actually in the trunk? >>>> Normally you don't need SoPIN if you use it. The essentials CREATE, UPDATE >>>> acls reference the User PIN. >>>> In my tests with opensc tools (import PKCS#12, key generation) SOPIN >>>> wasnot needed for MyEID card. >>> Yes I agree that normally the SO-PIN is not needed, but I think we are >>> talking about different things now. >>> Somebody might want to protect the card more than others. At least in >>> Finland it is very common to have 3 PIN codes (basic, sign and so-pin), >>> and the SO-PIN protects these xDF files from deletion (not update of >>> course). >> So, you are talking about profile that is more protected then the one that >> is actually in trunk. > Anybody can change the profile if they want to. We have defined a default > profile for MyEID that suits common cases.
Just for the sake of curiosity, can you post here an example of 'protected' profile for MyEID card? >> What do you think, will it be sufficient, during the card initialization, >> to create all xDF files that have 'CREATE' protected by SOPIN ? > What I mean is that OpenSC would create the whole structure defined in the > profile, regardless of the ACL:s. > I know that the driver can do this by itself, but why not implement it to > OpenSC so that it would work for all cards? Personally I have no objections, but we cannot take rapid decision for all the cards. I don't know if actually somebody considers as useful to not create all xDFs (including rarely used DODF, SKDF, ). We'll be waiting for the other opinions. What can be done easily is a new profile option "create-all-xDF". So that, you will have the possibility to do what you want in a non-intrusive for the other cards manner. Take also into consideration that all card profile are loaded after the general 'pkcs15.profile', where all xDF are defined. And so the list of xDFs to create is not completely controlled by the card's profile. > One thing it could do, is to check when initialization is done each of the > known identifiers (PrKDF, PuKDF, CDF..), > if these have been defined in the profile, it would create them. > > One additional feature that is lacking from OpenSC is that it does not > create the PIN codes automatically (except the SO-PIN). Sorry I do not follow what you mean. Kind wishes, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
