Alon Bar-Lev wrote:
But before we do, I think we need to define what is smartcard support...
There are quality criteria that should be listed for each application,
describing its level of support.
this whole section should be put into a style guide for adding
smart card support I think.
but while we will be able to agree on most parts, I think there won't
be one solution that fits everyone. for example some people are fine
with pin in config files, even want that. (if my root partition
is encrypted, why not store sensitive data like that on it?)
3. If the user removes and inserts his card, the application should
reprompt for PIN when private object is accessed.
4. If the user removes the card from one reader and insert it to
another reader, the application should detect that it is the same
card, and not prompt the user for credentials again.
I think the moment a card is removed the pin for it should be forgotten.
sure, your logic makes sence too, so people want choice.
also I find it most interesting how some people use smart cards:
with pinpad reader, enter the pin once to verify, and then the
card remains in a state where the key can be used any number of
times. I would like to have that too! but it is not a solution
for everyone, for example for eid cards with lawful "qualified"
signature keys it is not allowed to have that in some countries.
7. If application uses persistence connection, such as VPN or SSL
session which initiated by smartcard operation, the session should be
disconnected (if requested by user) once the smartcard is removed.
I want my screen to lock when I remove my smart card, but why shouldn't
that cp command finish or the mail client continue to check for emails
and download new ones? again I think users will have different opinions
on this so they need choice.
9. If application supports a standard interface, such as PKCS#11, it
should allow to load more than one provider, so application can serve
different users with different devices.
several pkcs#11 modules at the same time? I thought pcsc would
make trouble with that - two connects to the same slot block one
of them with no option for testing "is this card in use?" to avoid
that.
still even with different preferences, it would be great to put this
into a web page as reference for everyone who has plans for adding smart
card support to his applications. knowing all the issues involved should
make it easier to pick the right design if you know about these advanced
topics.
I think that grading application by the quality of smartcard support
will serve users best, and will provide a way for developers to
understand what is required from their side.
lets start simple and see how we can walk from there.
A simple list of applications, structured in groups somehow,
with name and a small line what it does, and status yes/no/partial.
the name could be the link to a wiki page, where we put all the
details, like longer description, links to web page and friends,
which features are available, cavets, such reviews for specific
features and so on?
or any other structure etc?
Andreas
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
