On 15.02.2011 18:56, NdK wrote:
> On 15/02/2011 16:47, Viktor TARASOV wrote:
>
>>> Ok. So, 'limiting' to 32 keys (due to said limit in pkcs15-tool), I
>>> could have:
>>> cdf_size = 8640 # 3 * 32 * 90 (an average of 3 keys in every cert)
>> You mean 3 certs for each key?
>> I think that it's difficult to generalize this relation, the contexts of the
>> card usage are so different.
> I think a typical usage is that in every cert there's a "root" cert
> (whose key is kept offline) that authenticates an intermediate CA cert
> key (often kept online), that authenticates user key. So 3 certs for
> every user key. Obviously there could be CAs that sign user keys
> directly w/ their master key, and others that have more than one
> intermediate CA. And really often a user only relies on a single CA for
> all his/her certs, so needing only one root CA cert and 2-3 intermediate
> certs (so reducing of 60 certs the storage needs).
>
>> Of cause the last word is for Toni, but, imho, the actual default value of
>> 'cdf-size' is really too low.
> I always listen to more experienced people, then err on my own :)
>
>> As for me it should be around one-two times larger then prkdf-size.
>> I do not have justification for this relation, only very vague
>> considerations:
>> 2-3 certs per key,
> Ok. So my value was right: 3 times prkdf-size :)
>
>>> prkdf_size = 2880 # 32 * 90
>>> pukdf_size = 2880 # idem... but why is default smaller than prkdf_size?
>> Generally there is no PubKey object corresponding to the imported keys.
>> Imported private key is immediately accompanied with the corresponding
>> certificate
>> or have sufficiently explicit attributes (ID) that allows to link it with
>> the future certificate.
> Ah, Ok. I thought a pubkey was stored anyway.
>
>>> PS: seems MyEID can't generate<1024bit keypairs... Is it right? From
>>> specs I understood it could work from 512 to 2048...
>> It can generate 1024bit keys.
> Yup. But I understood that it could generate keys down to 512. Probably
> misunderstood the docs.
Sorry, this card can generate key 512bit .
For that the corresponding algorithm should be added to the list of the card's
algorithms.
--- src/libopensc/card-myeid.c (révision 5194)
+++ src/libopensc/card-myeid.c (copie de travail)
@@ -100,6 +100,7 @@
flags = SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_RSA_PAD_PKCS1 |
SC_ALGORITHM_ONBOARD_KEY_GEN;
flags |= SC_ALGORITHM_RSA_HASH_NONE | SC_ALGORITHM_RSA_HASH_SHA1 |
SC_ALGORITHM_ONBOARD_KEY_GEN;
+ _sc_card_add_rsa_alg(card, 512, flags, 0);
_sc_card_add_rsa_alg(card, 1024, flags, 0);
_sc_card_add_rsa_alg(card, 2048, flags, 0);
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
