On 06/13/2011 11:11 AM, Stef Walter wrote: > On 06/10/2011 07:08 PM, Martin Paljak wrote: >> On Jun 10, 2011, at 13:11 , Stef Walter wrote: >>> After sleeping on this idea, I realized it won't work in certain >>> cases. In particular when the key has CKA_ALWAYS_AUTHENTICATE >>> and requires C_Login with CKU_CONTEXT_SPECIFIC. >> This is hardly the case with SSL. >> >> CKA_ALWAYS_AUTHENTICATE in OpenSC context for example is only set >> for keys that require "user consent" or usually are used for >> "nonrepudiation". Most cards I've seen can use authentication keys >> once the cardholder is verified until the card is reset or >> removed. >> >> Using such card with a pinpad reader would be impossible for web >> authentication, you'd be typing the PIN most of the time > Since the PKCS#11 URI's say that the pinfile attribute of the URI > can be determined by the application, we can build something simple > in p11-kit and register callbacks so that one component (in the same > process) can provide the pin for another (like gnutls).
I didn't like the pinfile attribute of pkcs11-urls much, because its semantics are undefined. I see it as an option that could cause compatibility issues between libraries using URLs. That's why I have ignored it so far. Are there other alternatives to solve the issue at hand? regards, Nikos _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel