Hello, On Apr 21, 2010, at 20:25 , Viktor TARASOV wrote: > I would like to start a new OpenSC sub-project, forked from the current > trunk, > that should be an experimental branch for the implementation of > SecureMessaging, MultiApplication, > combined ACLs, etc. > > At the beginning this sub-project should support the cards natively > compatibles with PKCS#15. A sub-project or a branch? I suspect the latter?
> The main features are: > - 'Secure Messaging' and 'External Authentication' are performed by > external, dynamically loadable module. This relatively small module have > different implementations: > -- 'local' version have access to the keysets and used mostly for tests; > -- 'distant' version should communicate with some distant entity capable > to generate secured APDUs. (In our SCM application such a module uses > IPC to communicate with XPCOM extention of the application's XUL > client-side part. This last one, in its turn, uses XMLHttpRequest to > communicate with the distant server that has a knowledge of keysets.) > > - two 'Secure Messaging' usage modes: > -- 'config' mode: all transactions that, according to card > specification, can be done under SM will be secured with SM (as it was > suggested long time ago by the comments in 'do_single_transmit' procedure); > -- 'acl' mode: SM (as well as External Authentication) used only when > really needed and is triggered by ACL of the next operation. > > - Multi oncard PKCS#15 applications: example IAS/ECC card with > administration support that have 'general' and 'administation' applications. > > - Combined ACLs: for example signature with NonRepudiation key can ask > 'Sign-PIN && Sign-SM'; PIN unblock can be protected by 'PUK || > ExternalAuthentication'. Just a curious: for "Sign-PIN && Sign-SM" the operation would look how with pinpads? a) PIN is verified with a pinpad, without SM, sign operation is sent with SM? b) PIN can not be verified with a pinpad, the PIN verification and the sign operation both require SM (and thus the PIN block can not be built by the reader) ? Does the "multi oncard PKCS#15 application" support require SM? -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
