On 6/14/2011 9:18 AM, Alon Bar-Lev wrote: > On Tue, Jun 14, 2011 at 5:15 PM, Viktor Tarasov > <viktor.tara...@gmail.com> wrote: >> So, if no objections, >> in the framework-pkcs15 I will set the 'nonRepudiation' PKCS#15 flag, if the >> key 'create-object' template contains the CKA_ALWAYS_AUTHENTICATE and >> CKA_SIGN >> attributes. Thus there is no more need of the vendor specific attribute. > > But this is procedural. > How can you enforce ALWAYS_AUTHENTICATE on something of your procedure? > Maybe laws in other countries enables authenticate once in X minutes?
As I understand it, the intent is to pass in some information when creating the key, not necessarily when it is used. The related question: Viktor, does your card do anything with the nonRepudiation flag when a sign operation is done? (The PIV actually has an internal bit that is set to 1 after a verify pin operation and set to 0 after every other operation. So if a sign operation using 9C key will only be allowed if the bit is 1.) Does any PKCS#15 card support such a bit, and thus require a PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute? As far as I know, AFAIK CKA_ALWAYS_AUTHENTICATE was added after 2004 and was not a concept in the original PKCS#15 Is it in ISO/IEC 7816-15 keyUsageFLAGSs or keyAccessFlags? > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel