Le 01/05/2011 06:33, Peter Stuge a écrit :
> Viktor TARASOV wrote:
>> when creating new object with protected usage (using
>> 'pkcs15-init'), the 'auth-id' argument is mandatory.
>> 'Auth-id' argument can have only one possible value
> This I think is the crux, and it always seemed stupid to me that I
> need to provide an argument which can only ever have one correct
> value.
Agree.
I guess that for the OpenSC fathers there was some reason in it.
Now, probably, these reasons are 'historical'.
>> Brief, 'auth-id' has to correspond to the ACLs settings from the
>> card profile.
> More specifically the card profile used to create the parent.
Not exactly.
The 'auth-id' protects the object's 'usage' -- not it's creation.
>> - this situation is considered as: 'not friendly'(VT),
>> 'dangerous and error-prone' (NdK), 'possibly out-of sync' (NdK);
> Plain dumb.
...
>> - 'auth-id' argument should have a possibility to overwrite, in
>> somewhat manner, the profile settings for a new object's ACLs.
> Why does it need to be overridden when only one value can be correct?
I imagine it in a following manner:
- 'auth-id' parameter is not mandatory. Without it the value of
CommonObjectAttributes.authId
is derived from the 'usage' ACLs settings in profile. It presumes that all
object's 'usage' operations are protected by the same PIN .
- when 'auth-id' is given, then the 'usage' ACLs from profile are modified. The
modified ACLs is built with the PIN reference (or SE reference)
that comes from PinAttributes.pinReference of the existing PKCS#15 Auth
object indicated by 'auth-id'.
The utility of the second faculty can be, for example, when generating
Signature key.
Signature key, normally, has to be protected by the dedicated SignPIN .
The card profile contains only one 'general' Private Key template, with the
general usage ACLs.
The 'auth-id' argument will change the 'default' ACLs to reflect the protection
of 'usage' by SignPIN.
The ID of the SignPIN PKCS#15 object will be referenced in the new object's
CommonObjectAttributes.authId .
>> - there are the volunteers to propose an appropriate solution.
> It seems to me that there is an obvious solution:
>
> Always autodetect the correct auth-id value and remove the option.
>
> The implementation is another issue however! Especially for cards
> which do not inform the ACL in effect. As Diego points out the only
> real solution for them is to describe the "equivalent ACL" in the
> OpenSC card driver (as in, not where anyone can change it easily)
> and to never change it.
>
>
> //Peter
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
--
Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
