On 15/02/2011 16:47, Viktor TARASOV wrote: >> Ok. So, 'limiting' to 32 keys (due to said limit in pkcs15-tool), I >> could have: >> cdf_size = 8640 # 3 * 32 * 90 (an average of 3 keys in every cert) > You mean 3 certs for each key? > I think that it's difficult to generalize this relation, the contexts of the > card usage are so different. I think a typical usage is that in every cert there's a "root" cert (whose key is kept offline) that authenticates an intermediate CA cert key (often kept online), that authenticates user key. So 3 certs for every user key. Obviously there could be CAs that sign user keys directly w/ their master key, and others that have more than one intermediate CA. And really often a user only relies on a single CA for all his/her certs, so needing only one root CA cert and 2-3 intermediate certs (so reducing of 60 certs the storage needs).
> Of cause the last word is for Toni, but, imho, the actual default value of > 'cdf-size' is really too low. I always listen to more experienced people, then err on my own :) > As for me it should be around one-two times larger then prkdf-size. > I do not have justification for this relation, only very vague considerations: > 2-3 certs per key, Ok. So my value was right: 3 times prkdf-size :) >> prkdf_size = 2880 # 32 * 90 >> pukdf_size = 2880 # idem... but why is default smaller than prkdf_size? > Generally there is no PubKey object corresponding to the imported keys. > Imported private key is immediately accompanied with the corresponding > certificate > or have sufficiently explicit attributes (ID) that allows to link it with the > future certificate. Ah, Ok. I thought a pubkey was stored anyway. >> PS: seems MyEID can't generate<1024bit keypairs... Is it right? From >> specs I understood it could work from 512 to 2048... > It can generate 1024bit keys. Yup. But I understood that it could generate keys down to 512. Probably misunderstood the docs. BYtE! _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
