Andreas Jellinghaus wrote: > Am Montag 01 März 2010 11:53:29 schrieb Viktor TARASOV: > >> All my respects to this driver, the ancestor of many current drivers. It >> took me a certain time to get know how it works. >> Yes, it will break multiple PINs for 'flex' cards -- for this card only >> two local PINs per DF are possibles. >> But, does the multiple PINs functionality is really asked for (for this >> card)? >> > > some people on the list seem to use it - even complained how few pins / keys / > certificates where possible (with size tuning I more should be possible). >
Is it really PINs or Keys ? In fact for this card every PIN (UserPIN) and Key, need a separate DF. What I'm talking about do not concerns Keys, only PINs. > is "pin domain" the name for the "lets create a subdir for each pin and > put stuff protected by that pin in there" feature? > Yes. > if I understand you correctly, that is not possible without "pin domain". > or is it, with global instead of local pins? > Not for this card. According to specs, only two PINs per DF are allowed. In our case they are used as SOPIN and UserPIN. If more that one UserPIN needed, specially dedicated DF has to be created for each one. In OpenSC 'flex' card is finally formated with the both local PINs, even if in profile these PINs have no 'local' attribute. SOPIN defined in the application DF (5015), and UserPIN defined in it's subdirectory, instantiated from 'pin-domain'. (In the initialization procedure the global PINs are used as the temporary PINs, to allow the ACLs of the final PINs and ACLs of application DF to reference the not-yet-existing PINs. ) > what exactly is the difference of global vs. local pins from pkcs#11/15 > point of view? IIRC some cards have the pins in the filesystem hierarchy, > only files in the dir with the pin (or subdirs) can be protected with it. > other cards have global security objects - not sure if it matters at all > where they are stored/created/are independend of the selected directory. > (cardos IIRC) > The global PINs can be verified from everywhere in the card, and so, 'path' is not mandatory pkcs15 attribute . Local PIN can be verified only from somewhere under DF, where it was defined -- 'path' is mandatory . (Local PIN defined in MF is the global one .) > Regards, Andreas > > Finally, if you tell that somebody uses the multi-pin-domains with the 'flex' card, there is no choice, we need to keep it. Kind regards, Viktor. -- Viktor Tarasov <[email protected]> _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
