Antti S. Lankila wrote:
Nils Larsch wrote:
disagree, (at least as far as pkcs11 concerned) as this would prevent
every application from using non-rep. keys not just application which
want to use non-rep. key for authentication.
It's not the job of a pkcs11 library to decide which keys an application
should use, that's the job of the application using the pkcs11 library.
I'm completely browser-centric. To use your language, I believe that the
browser security module opensc-pkcs11.so is the "application" which we
are talking about.
actually no, opensc-pkcs11.so is a pkcs11 library.
I am not talking about changing the generic library, such as libopensc2.
sure
I just want to make firefox/pkcs11 stop asking the
nonrepudiation key, at least for FINEID cards, when it doesn't need this
key. When it does this by default, any sane person pauses, pulls the
card out of the reader, closes the browser and never touches OpenSC again.
Is there some flag opensc-pkcs11.so could return to Firefox, to prevent
Firefox from unlocking that key by default?
don't know, but if the NSS make it's decision based on the cert
contents there isn't much opensc can do
If not, I see no alternative but stop reporting that key to the browser.
instead of modifying the standard opensc pkcs11 library we could
use a proxy pkcs11 library for mozilla which filters out non-rep
keys ...
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
