Hello, On 22/03/06, Shawn Willden <[EMAIL PROTECTED]> wrote: > On Wednesday 22 March 2006 13:51, Shawn Willden wrote: > > While musing about some related issues today, a major possible problem with > > pcsc-lite's security model cropped up. It doesn't appear that there is any > > way to restrict smart card access by user. > > Okay, after looking into things a little, it appears that the PC/SC Workgroup > specification (for whatever it's worth) provides a mechanism for user-centric > access control. SCardEstablishConnection takes a scope parameter, and one of > the options is SCARD_SCOPE_USER. However, (a) the document doesn't really > define what it means, (b) what explanation there is doesn't make it seem > useful to solve this problem and (c) pcsc-lite doesn't implement it anyway. > > It appears to me that SCARD_SCOPE_USER is supposed to restrict the > application's access to readers that the user is supposed to have access to. > It looks like a mechanism to narrow the set of available readers for > convenience, rather than for security.
You can have a look at the MSDN page about SCardEstablishContext(). But I don't find the explanation of SCARD_SCOPE_USER and SCARD_SCOPE_SYSTEM very clear. I guess what you want is restrict the access to a smart card to only one application in order to exclude any other application to use the card at the same time. What you are looking for is SCardConnect() and its dwShareMode parameter. See [1] ┌───────────────────────┬─────────────────────────────────────────────────────┐ │ Value of dwShareMode │ Meaning │ ├───────────────────────┼─────────────────────────────────────────────────────┤ │ SCARD_SHARE_SHARED │ This application will allow others to share the │ │ │ reader │ ├───────────────────────┼─────────────────────────────────────────────────────┤ │ SCARD_SHARE_EXCLUSIVE │ This application will NOT allow others to share the │ │ │ reader │ ├───────────────────────┼─────────────────────────────────────────────────────┤ │ SCARD_SHARE_DIRECT │ Direct control of the reader, even without a card │ └───────────────────────┴─────────────────────────────────────────────────────┘ Bye, [1] http://pcsclite.alioth.debian.org/pcsc-lite/node11.html -- Dr. Ludovic Rousseau _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
