On Fri, 8 Jun 2001, Dr S N Henson wrote:
> Carlos Prados wrote:
> >
> >
> > Again, I would pay more athention to local security.
> > Why is the file /tmp/.pcscrx world writtable? isn't
> > this a security hole?
> >
>
> On the subject of security...
>
> As may be apparent I've only just got my setup working and I've not
> examined things in any detail. I did notice a few things which might be
> cause for concern.
>
> Consider a Netscape PKCS#11 module. In this application the connection
> to the reader may need to be kept open for an extended period of time
> (typically the whole browser session) and may not be closed cleanly. As
> we are all painfully aware its not entirely unknown for a browser to
> crash.
For the PKCS#11 part, there's a solution: just use random session numbers,
and close all the sessions if you detect at least 3 invalid session
numbers...
That way, the application can crash, but trying to attach to this previous
session and keep the authenticated state would be difficult.
--
Erwann ABALEA
[EMAIL PROTECTED]
RSA PGP Key ID: 0x2D0EABD5
-----
A computer is a state machine.
Threads are for people who can't program state machines.
Alan Cox
in a discussion about the threads and the Linux scheduler
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
