On 3/30/2011 11:38 AM, Viktor TARASOV wrote: > Le 28/03/2011 18:29, Douglas E. Engert a écrit : >> On 3/28/2011 7:06 AM, Viktor TARASOV wrote: >>> Le 25/03/2011 20:51, Douglas E. Engert a écrit : > ... >>>> Do we really need the GUID format? "{" and "}" and 4 "-" take up 6 >>>> characters that could be used for more serial number and ID. >>> Not really. >>> I'm get used to this GUID format in the Windows world. >>> and so it seemed to me quite natural to use it for the Windows containers. >> The { - - - - } characters dont add any uniqueness, but do take 6 characters >> of the 39. leaving only 32, to stuff a serial number and ID. > > What would you say if we accept the 'classic' GUID form as a default one, > and give the possibility to define its own format to the pkcs15 card driver ?
This is not a card driver issue. Its a cardmod issue. This is only used by the cardmod which wants a unique string for each cert. I would rather see an approach if you can not combine the serial number and the ID into a string that will fit in 39 characters, then drop the "{", "}" and 4 "-" and see if that will fit. The intent is to have a unique string for each certificate that can be obtained from the card and the certificate, and the same card and cert will always return the same value. By using the serial number and dropping some of the trailing bytes, there is a good chance that the string will not be unique and could cause issues if many cards are used on the same machine. In the OpenSC PIV case, the last byte is dropped. which means 256 consecutively issued cards would have the same containerID. (Windows 7 built-in driver drops 3 bytes from the serial number, and thus 16Million cards may have the same containerID!) With 16 byte serial numbers, there is not room to add the cert ID to this. If you want to drop some bytes from a serial number, drop then from the first bytes of the serial number, not the last. This would have a better chance of not having problems. As side question is how big are serial numbers and how are they generated on other cards? Another approach is to use md5 or sha-1 hash of the serial number and the cert ID so as to keep as much uniqueness as possible as defined here: http://en.wikipedia.org/wiki/Universally_unique_identifier http://msdn.microsoft.com/en-us/library/aa373931(v=vs.85).aspx GUIDs are the Microsoft implementation of the distributed computing environment (DCE) universally unique identifier ( UUID). Note that the cardmod is not asked to return a GUID but rather to return a string that looks like a GUID. > A new sc_pkcs15_operations callback will be used: > http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/pkcs15.h#L462 > > If no objections I'll prepare the patch. > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel