On 3/30/2011 11:38 AM, Viktor TARASOV wrote:
> Le 28/03/2011 18:29, Douglas E. Engert a écrit :
>> On 3/28/2011 7:06 AM, Viktor TARASOV wrote:
>>> Le 25/03/2011 20:51, Douglas E. Engert a écrit :
> ...
>>>> Do we really need the GUID format? "{" and "}" and 4 "-" take up 6
>>>> characters that could be used for more serial number and ID.
>>> Not really.
>>> I'm get used to this GUID format in the Windows world.
>>> and so it seemed to me quite natural to use it for the Windows containers.
>> The { - - - - } characters dont add any uniqueness, but do take 6 characters
>> of the 39. leaving only 32, to stuff a serial number and ID.
>
> What would you say if we accept the 'classic' GUID form as a default one,
> and give the possibility to define its own format to the pkcs15 card driver ?
This is not a card driver issue. Its a cardmod issue. This is only used by the
cardmod which wants a unique string for each cert.
I would rather see an approach if you can not combine the serial number and the
ID into a string that will fit in 39 characters, then drop the "{", "}" and 4
"-"
and see if that will fit.
The intent is to have a unique string for each certificate that can
be obtained from the card and the certificate, and the same card and cert
will always return the same value.
By using the serial number and dropping some of the trailing bytes,
there is a good chance that the string will not be unique and could cause
issues if many cards are used on the same machine.
In the OpenSC PIV case, the last byte is dropped. which means 256 consecutively
issued cards would have the same containerID. (Windows 7 built-in driver drops 3
bytes from the serial number, and thus 16Million cards may have the same
containerID!)
With 16 byte serial numbers, there is not room to add the cert ID to this.
If you want to drop some bytes from a serial number, drop then from the
first bytes of the serial number, not the last. This would have a better
chance of not having problems.
As side question is how big are serial numbers and how are they generated
on other cards?
Another approach is to use md5 or sha-1 hash of the serial number and the cert
ID
so as to keep as much uniqueness as possible as defined here:
http://en.wikipedia.org/wiki/Universally_unique_identifier
http://msdn.microsoft.com/en-us/library/aa373931(v=vs.85).aspx
GUIDs are the Microsoft implementation of the distributed computing
environment
(DCE) universally unique identifier ( UUID).
Note that the cardmod is not asked to return a GUID but rather to return
a string that looks like a GUID.
> A new sc_pkcs15_operations callback will be used:
> http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/pkcs15.h#L462
>
> If no objections I'll prepare the patch.
>
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
