Martin Paljak wrote: > On Jan 28, 2010, at 12:50 , Viktor TARASOV wrote: > >> Hi Martin, >> >> Martin Paljak wrote: >> >>> On Jan 28, 2010, at 10:28 , [email protected] wrote: >>> >>> >>>> Revision: 3952 >>>> Author: viktor.tarasov >>>> Date: 2010-01-28 08:28:25 +0000 (Thu, 28 Jan 2010) >>>> >>>> Log Message: >>>> ----------- >>>> pkcs11: do not create slot for PUK >>>> >>>> >>> This provided an easy way to change the PUK code via a GUI - Firefox. Are >>> there other waysd a PUK code could be exposed via PKCS#11? >>> >>> >> Fairly, I've done it in a reason of Firefox -- when looking for the >> keys, it tries to login into the every available slot . >> > For Firefox to work as expected (probably) you need to have the module loaded > with "Friendly certs" flag set, this directs NSS to treat tokens as their > certificates don't require a login before. > > Unfortunately, there is no GUI for this and the module needs to be loaded > with javascript. The javascript interface used to be available for public use > until v3.5 which disabled it for "security reasons". > > See https://bugzilla.mozilla.org/show_bug.cgi?id=511652 for more information. > > > > >> Do we really need to be able to change PUK through PKCS#11? >> If so, I will roll it back. >> > The onepin pkcs#11 module was also created to please Firefox (the friendly > certs trick, the nonrepudiation keys issue among others) > > It would be nice if there was a feature-complete PKCS#11 module that exposes > as much as possible as flexibly as possible and a "dumb module" that would > please Firefox/NSS. > > For Estonian eID, the "onepin" could be translated as "module with no > non-repudiation keys". What other requirements this module should have? >
Ok, thanks. By the way, afaiu, nonrepudiation key presume existence of something like 'Sign PIN'. If so, how do you expose this PIN to PKCS#11? > > >> Or as usual, >> I can replace decision to the pkcs11 section of opensc.conf. >> > A sensible default is probably the best idea. > Sorry, I've not understood -- do you vote for enabling 'User PUK Slot' by default? -- Viktor Tarasov <[email protected]> _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
