Le 14/06/2011 16:18, Alon Bar-Lev a écrit : > On Tue, Jun 14, 2011 at 5:15 PM, Viktor Tarasov > <viktor.tara...@gmail.com> wrote: >> So, if no objections, >> in the framework-pkcs15 I will set the 'nonRepudiation' PKCS#15 flag, if the >> key 'create-object' template contains the CKA_ALWAYS_AUTHENTICATE and >> CKA_SIGN >> attributes. Thus there is no more need of the vendor specific attribute. > But this is procedural. > How can you enforce ALWAYS_AUTHENTICATE on something of your procedure?
All that I can do is to set 'userConsent' object attribute if 'always-authenticate' present in 'create-object' template. The card itself can impose 'always-authenticate' when the object is protected by 'one-time' PIN. That's, 'generally' the case of the 'signature-with-non-repudiation' keys. So, for the framework-pkcs15, the alternative to the vendor specific 'NON-REPUDIATION' CKA_ attribute, could be the combination of 'ALWAYS_AUTHENTICATE' and 'SIGN' present in the key 'create-object' template . > Maybe laws in other countries enables authenticate once in X minutes? > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
