Tim: 1) The relevant specification is NIST SP 800-73 which does include the notion of logged-in/logged-out on the client API. It is available at:
http://csrc.nist.gov/publications/nistpubs/ You might also want to consult the developer forum at: http://piv.nist.gov/ 2) AFAIK CAC is not compliant with either this specification or GSC-IS v2.1. Cheers, Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy J. Miller Sent: Wednesday, July 12, 2006 1:51 PM To: MUSCLE Subject: CAC and musclecardframework, some final words (was: Re: [Muscle]Re: MSC_TOKEN_RESET behavior questions) Timothy J. Miller wrote: > 1) Add MSCLogoutAll to commonAccessCard.c. This is probably the best > solution, but I have no freakin' clue how to go about it; I did some digging on this, and pulled down & perused the NIST gov't smartcard spec the CAC complies with. GSC-IS has no concept of logged-in vs. logged-out IDs, as musclecard seems to have; instead, it's all about access control rules applied to each operation. So it makes sense that the MSCLogoutAll() is unimplemented. However, commonAccessCard.c *is* setting pConnection->loggedIDs when a verify PIN operation is performed, so I added code to unset pConnection->loggedIDs when MSCLogoutAll() is called and return a success et viola! Done. I'm going to have to review the APSL commonAccessCard.c falls under to see what obligations I'm under re: distributing these changes. There's still the stale pointer in the session table and NULL handling issues with session_FreeSession(), but I think I have a handle on these now and may be able to fix them. If I have any success I'll contribute patches back. -- Tim _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
