Andreas Jellinghaus wrote: > Am Montag 01 März 2010 17:02:29 schrieb Viktor TARASOV: > >> Finally, >> if you tell that somebody uses the multi-pin-domains with the 'flex' card, >> there is no choice, we need to keep it. >> > > not sure. but I think people tried to create several pins with different > keys/certificates assigned to them. > > maybe it is not bad if that no longer works with cryptoflex. but isn't > it likely someone else might want to try that again in the future, maybe > with some other driver, but still? > > last time I looked at eid cards, the ones I saw in germany often have > three rsa keys - lawfull signature, authentication, email decryption, > and different pins for them (although I think only two pins - one for > lawfull signatures, and one for authentication/decryption). > > so it might be a good idea if opensc could be used to configure cards > to mimik that. not terrible important, but if the "pin-domain" infrastructure > helps with such setups, it might be nice. >
As for me, 'pin-domains' is the 'flex' specific feature and exists in a reason of the 'flex' limitation - not more the two PINs per DF . We don't need it for the cards that do not have this limitation and so, can keep the objects protected with the different PINs in the same DF. The profiles of such cards can define number of PINs (in the same DF) and the objects ACLs can be defined with direct PIN references (CHV1, CHV2, ...) . Some of the card profiles already use this ACL syntax . As for me, if one starts to separate the objects in the different DFs, it would be better to organize it in a more general manner -- multiple pkcs15 applications . > on the other hand I also agree that code that isn't used except by one card, > and that card is old and no longer sold, and even users of that card are > unlikely to have ever used that feature, then such code should propably > be removed in favor of smaller, better to maintain and understandable > code base. > > so I don't know what is best either. ... neither do I. > I leave the decission to you, > as you know the code etc. best. > > Regards, Andreas > Kind wishes, Viktor. -- Viktor Tarasov <[email protected]> _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
