On Tuesday 28 November 2006 12:04, Christian Horn wrote: > On Mon, Nov 27, 2006 at 05:35:30PM +0200, Alon Bar-Lev wrote: > > 1. You don't expect application to require the user to store the > > PIN hard coded in configuration file... > > [...] > > 3. If the user removes and inserts his card, the application > > should reprompt for PIN when private object is accessed. > > [...] > > 4. If the user removes the card from one reader and insert it to > > another reader, the application should detect that it is the same > > card, and not prompt the user for credentials again. > > [...] > > 7. If application uses persistence connection, such as VPN or SSL > > session which initiated by smartcard operation, the session > > should be disconnected (if requested by user) once the smartcard > > is removed. > > You have 2 sides requesting stuff there: > - the application/application-provider-side, trying to enforce some > security-measures (i.e. enter pin for every single operation, take > service down immediately on removal of card) > - the user: wants to work without beeing bugged.
Right. But ANY application MUST support to release any resources when smartcard is removed. > IMHO the application can suggest such behaviour but the user should > be the one able to configure the behaviour. Right. Application MAY support different schemes, as long as it support the basic ones. > To enforce i.e. that > the service is taken down (lets take a VPN) you can enforce > rekeyings that need the key on the card all five minutes and get > the service down that way. True... But to be compliant it MUST support this feature, of course the user can turn it off... > Was just reading out from your suggestions the card-managementlayer > like opensc could enforce this, that wouldnt work. This is not enough that these feature are supported my the middleware, the application must be aware of it and expose them within its behavior. Best Regards, Alon Bar-Lev. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
