Le 10/11/2011 13:16, Alon Bar-Lev a écrit : > On Wed, Nov 9, 2011 at 7:39 PM, Viktor Tarasov<viktor.tara...@gmail.com> > wrote: >> Hello, >> >> I would like to 'touch' the PKCS#11 module of OpenSC and looking for your >> opinions/suggestions about: >> - removing of 'pkcs15init' framework; >> - configurable support of the multi on-card applications and multi-pins; >> - removing the 'one-pin' version of pkcs#11 module (or rather replacing it >> with particular case of the configuration); >> - no separate slot for public objects. > 1. If you remove the pkcs#15 init how will you init the card? How will > you create several PINs?
When creating the on-card PKCS#15 application on the non-initialized card, I guess that the 'pkcs15-init' tool is more flexible, has more possibilities and more appropriate to use. Creating, modifying, removing of the objects on the initialized card is covered by 'pkcs15' framework. > 2. If you separate PINs into slot, you must expose the public object > within the same slot of the private object. As application will look > for the private object on the same slot with the same id of the public > one. Exact. That's what I described in the details of different configuration possibilities. > 3. The one-pin should have been removed long time ago in favor of > configuration :) Look into the win32/OpenSC.wxs, src/pkcs11/Makefile.am(mak) and search for 'onepin_opensc_pkcs11'. Also look sources for 'hack_en(dis)abled'. > But as usual, I will keep reminding anyone that the most severe issue > of OpenSC PKCS#11 is the require for lock reader since C_Login until > eternity in order to achieve secured setup. As far as I know this has > not been addressed. > > 1. It is explicitly violate PKCS#11 spec. > > 2. Disabling this lock_login=false exposes your card for other > applications without authentication. > > 3. Default is disabled, which and back to (2). Ok, we will think about it. > Regards, > Alon. Kind wishes, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
