On 6/10/2011 12:08 PM, Martin Paljak wrote: > > On Jun 10, 2011, at 13:11 , Stef Walter wrote: > >> On 06/09/2011 09:37 PM, Stef Walter wrote: >>> I'm working on integrating smart card support via PKCS#11 into glib and >>> gcr (part of gnome-keyring). We're integrating with GnuTLS for TLS support. >>> >>> I'd like to be able to do a C_Login in my code, and then pass off the >>> URL to Gnutls. GnuTLS would then open another session, recognize that >>> we're already logged in (this may need a slight tweak in the gnutls >>> code) and then proceed without prompting the user. >> >> After sleeping on this idea, I realized it won't work in certain cases. >> In particular when the key has CKA_ALWAYS_AUTHENTICATE and requires >> C_Login with CKU_CONTEXT_SPECIFIC. > This is hardly the case with SSL. > > CKA_ALWAYS_AUTHENTICATE in OpenSC context for example is only set for keys > that require "user consent" or usually are used for "nonrepudiation". > Most cards I've seen can use authentication keys once the cardholder is > verified until the card is reset or removed. > > Using such card with a pinpad reader would be impossible for web > authentication, you'd be typing the PIN most of the time.
The PIV card is an example of this. The PIV card's "Certificate for Digital Signature" (9C key) require the CKA_ALWAYS_AUTHENTICATE. It is enforced by the card, in that a crypto operation using the (9C key) must immediately follow a PIN verify. No other card operations allowed between the verify and crypto. (The use of pin cacheing IMHO is a security risk or violation of policy. Policy may require the use of a PIN PAD reader, so caching would not work.) So with a browser this is not an issue as it is using the authentication cert but when signing E-mail, for example with Thunderbird you must enter the PIN for each e-mail signature operation. -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
