On Jan 28, 2010, at 23:59 , Douglas E. Engert wrote: > Please don't allow the user to accidentally try and change the PUK. > The PUK should be reserved for the card admin, not the user. > If the OpenSC is going to provide a way to change the PUK, > via PKCS#11, please consider making this an option (off by default) > in the opensc.conf.
This depends on the nature and personalization of the card and is not absolute truth. The distinction between "card administrator" and "card user" depends more on organizational rules and in case of self-personalized (not read-only) cards is purely artificial. PUK often means "personal unlocking key" or "pin unblocking key" or something similar and by name and nature has everything to do with the user/PIN owner, not the card admin/issuer. Accidentally exposing and thus changing/locking the PUK code (like Firefox trying to log on to every slot it sees) is bad, agreed. But hiding it is also not an (perfect) option. PKCS#11 dos not have the term PUK at all, nor does it cover unblocking. PKCS#15 refers to unblocking in very general terms by saying that a PIN object can be used for unblocking other PIN objects not anything more specific, AFAIS. If the current slot creation mechanism uses PINs to draw slot borders, I don't see why it should be made differently for PINs that can be used for unlocking other PINs . I believe that OpenSC should provide two different PKCS#11 modules (without the casual user having to tweak any configuration file): - one that provides as much functionality supported by OpensC core/driver/cards in as sensible ways as possible - one that pleases some well known applications or use cases (like Firefox) and limits/customizes some functionality -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
