On Mon, Nov 27, 2006 at 05:35:30PM +0200, Alon Bar-Lev wrote: > 1. You don't expect application to require the user to store the PIN > hard coded in configuration file... > [...] > 3. If the user removes and inserts his card, the application should > reprompt for PIN when private object is accessed. > [...] > 4. If the user removes the card from one reader and insert it to > another reader, the application should detect that it is the same > card, and not prompt the user for credentials again. > [...] > 7. If application uses persistence connection, such as VPN or SSL > session which initiated by smartcard operation, the session should be > disconnected (if requested by user) once the smartcard is removed.
You have 2 sides requesting stuff there: - the application/application-provider-side, trying to enforce some security-measures (i.e. enter pin for every single operation, take service down immediately on removal of card) - the user: wants to work without beeing bugged. IMHO the application can suggest such behaviour but the user should be the one able to configure the behaviour. To enforce i.e. that the service is taken down (lets take a VPN) you can enforce rekeyings that need the key on the card all five minutes and get the service down that way. Was just reading out from your suggestions the card-managementlayer like opensc could enforce this, that wouldnt work. Christian _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
