Martin Paljak wrote: > On Jun 2, 2010, at 07:06 , Xiaoshuo Wu wrote: > >> I figure out a solution, add an new option combination "--change-attributes >> pin --pin-flags local --id $pin_id" in pkcs15-init command, so one can add >> "local" pin-flag without reinitialize the card. >> >> Here is the steps: >> 0.Apply the patch in my attachment. >> 1.Use "pkcs15-tool -D", get PIN's ID XX. >> 2.Run "pkcs15-init -A pin --pin-flags local -i XX", set the "local" pin-flag. >> >> It's a bit shaggy, but straight. >> > > This makes sense, with the exception that if it is possible to change PIN > flags afterwards, it should be possible the set them via command line when > creating the PIN as well. I'm a bit lost now how this relates to profile > information, which also specifies PIN flags and how much should be tweakable > via command line at initialization stage, to still be apprehensible and > provide a working and consistent solution. I'm not sure if exposing arbitrary > bit field manipulation to the end user is a good idea. >
I agree. PIN's flags are defined in card profile, are set when PIN is created and should not be exposed for changes afterwards. For me this problem is the problem of entersafe driver and should be solved at the card's driver level. To help it, some obscure pkcs15init operation 'sanity-check' can be introduced and every card's driver can implement as it likes. Another connected question, when card's profile contradicts the card facilities and implemented driver, what should be done: - accept silently the profile settings (that's the case with entersafe + opensc-0.11.13); - silent correction of the object attributes (not nice for me: profile settings should have the highest priority); - throw an error in the card driver (as for me that's right solution). Kind wishes, Viktor. -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
