On 10/18/2012 11:23 AM, James Southwell wrote:
Running Firefox 11.0
Installed opensc and websites requiring signature certificate work
without issue. Websites that require email signature error out.
Good to hear.
There are a few issues with using the the PIV signing cert/key from
OpenSC-0.12.2 that are fixed in the upcoming 0.13.0 release.
They deal with the card enforcing the use of the PIN just before
any crypto operation using the signing key. OpenSC 0.12.2 will
recognize the PKCS#15 "user_consent" flag on these types
of keys and not cache a PIN in that case.
But NSS used by FF and TB don't yet understand the PKCS#11
CKA_ALWAYS_AUTHENTICATE attribute. Bug reports on this go back to 2006.
The fixes are in the pipeline for NSS 3.14 but not yet in released FF or TB.
For more info:
Google for: OpenSC CKA_ALWAYS_AUTHENTICATE NSS
So until FF and TB get the fixes, OpenSC-0.13.0 adds a new option to
the opensc.conf file to cache the pin to accommodate older applications.
pin_cache_ignore_user_consent = true;
Webpage shows:
Secure Connection Failed
An error occurred during a connection to
xxxxx.navy.mil.
The operation failed because the PKCS#11 token is not logged in.
(Error code: sec_error_token_not_logged_in)
opensc 0.12.2-2ubuntu1 Smart card utilities
with support for PKCS#15 compatible cards
pcscd 1.7.4-2ubuntu2 Middleware to access a
smart card using PC/SC (daemon side)
libpcsclite1 1.7.4-2ubuntu2
Middleware to access a smart card using PC/SC (library)
Thank you for information already provided.
Jim
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
