On 06/10/2011 07:08 PM, Martin Paljak wrote: > On Jun 10, 2011, at 13:11 , Stef Walter wrote: >> After sleeping on this idea, I realized it won't work in certain >> cases. In particular when the key has CKA_ALWAYS_AUTHENTICATE and >> requires C_Login with CKU_CONTEXT_SPECIFIC. > This is hardly the case with SSL. > > CKA_ALWAYS_AUTHENTICATE in OpenSC context for example is only set for > keys that require "user consent" or usually are used for > "nonrepudiation". Most cards I've seen can use authentication keys > once the cardholder is verified until the card is reset or removed. > > Using such card with a pinpad reader would be impossible for web > authentication, you'd be typing the PIN most of the time.
That's a good point. I wasn't thinking about that. That said, I've come up with what would possibly be a less hacky solution to the problem (less hacky than logging into a session in one library, and assuming a new session will already be logged in another library in the same process). Since the PKCS#11 URI's say that the pinfile attribute of the URI can be determined by the application, we can build something simple in p11-kit and register callbacks so that one component (in the same process) can provide the pin for another (like gnutls). I've roughed this out, and it works quite well. I'll post more about it next week. Cheers, Stef _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel