On Tuesday 24 April 2007 02:28:21 pm Timothy J. Miller wrote:
> This is only true if you're leaving the card in the reader. I would say
> don't do that; the card should only be inserted when the card is needed
> for an operation, limiting the window during which malicious code can
> piggyback an authenticated card session (or start its own).
Also keep in mind that pcscd accepts connections to the reader from any
process on the machine. If there are any other users on your machine (using
their own accounts), and the application doesn't open the card in exclusive
mode and keep it open until you remove the card, then those other users can
also use your card after you've authenticated to it.
To be safe, don't use a card with important private keys on a multi-user
machine. Either that or be very sure that your applications grab the card
and never let go once you've presented the PIN.
Shawn.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
