On 11/9/2011 11:39 AM, Viktor Tarasov wrote: > Hello, > > I would like to 'touch' the PKCS#11 module of OpenSC and looking for your > opinions/suggestions about: > - removing of 'pkcs15init' framework;
Would you keep the functionality of the pkcs15init, and support it with the pkcs15 framework? Parts of the current pkcs15init code that I am interested in is required to support for PKCS#11 session objects. For example the C_DeriveKey output is returned as a session key object. Session objects may reside on the card or only in the software, depending how a card does a key derivation. > - configurable support of the multi on-card applications and multi-pins; > - removing the 'one-pin' version of pkcs#11 module (or rather replacing it > with particular case of the configuration); > - no separate slot for public objects. The support for mutli on-card applications, would be good. The PIV-card, for example, is really an on-card application, and any support to select card/application drivers based on application rather then just ATR could be useful. > > > The proposed PKCS#11 configuration concerns creating of slots, its > authentication objects and its content. > Possibilities are: > > - 'all' -- actual behavior -- slot for every non-sopin, non-unblock PINs > and optionally for PUK; > All public objects in the limit of one on-card application are > associated to the first 'User PIN' slot. > > - combinations of symbolic PIN names: 'user', 'sign' and 'application', > where important combination are: > > -- if only 'user' (one-pin) used, the unique slot will contains private > objects from the all on-card applications > which are protected by corresponding card's PIN. (In the > multi-application cards, the same global card's PIN could be > referenced by the pkcs#15 'authentication' object from more then one > on-card application). > Other private objects are not visibles (For ex. the ones protected by > SignPIN). > To this slot also added all public objects from the all on-card > applications. > (This configuration is suitable for FF). > > -- 'user' + 'sign' -- the same as previous with exception that second slot is > created for the > private object protected by 'sign' PIN and this object's public > 'friends'. > (This configuration could be useful for FF, and Thunderbird). > > -- 'application' -- one slot per on-card application. So that there is the > possibility to differentiate > the on-card application with the PKCS#11 API. (Equivalent of the > '--aid' option in the pkcs15(init) tools). > (This configuration mostly for initializing of the on-card applications > with the PKCS#11 API.) > > -- 'application' + 'sign' the same as 'all' without optional slot for PUK. How would all of this effect existing card drivers? Are the above configurations based on the card or some configuration file? > > > Kind wishes, > Viktor. > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
