I'm glad that I in my KeyGen2/SKS project were not limited by all the crap out there, but had the opportunity to create something new that hopefully won't need endless patching and/or national profiles.
In SKS each key may have policy. This include things like: - User modifiable PIN or not (SKS) - PIN sync with a group of keys (SKS) - Applicable PIN patterns (SKS) - If PIN must be supplied through a "trusted GUI" or can be programmatic (TE) - The purpose of the key (TE) - An optional list of "endorsed" algorithms (SKS) SKS: enforced by the container itself TE: enforced by a Trusted Environment Currently missing from the spec is a way to constrain which applications that may use the key (TE). This is very important, particularly for mobile phones since they will eventually replace most of our cards and you don't want to lockdown the entire device due to that. I guess this feature is missing in OpenSC as well? Anders jons...@terra.es wrote: > Working with Spanish DNIe code, I've received some feedback [1] from > Dirección General > de la Policía about removal of "user consent" code on signature process > > Afaik this theme has been discussed at OpenSC [2]. As a result, user > consent code > was removed from OpenSC. Same was for opensc-signer module > > But here comes a problem: Spanish authorities certification rules > requires that every > signing procedure must be notified to the user by mean the middleware, > regardless > the behaviour of main application. Removal of User Consent (as Martin > did in github [3]) > lies into an un-certificable code > > [1] http://www.kriptopolis.org/opensc-cenatic#comment-58751 > [2] http://www.opensc-project.org/opensc/ticket/232 > [3] http://github.com/martinpaljak/OpenSC/tree/dnie > > So, as a Solomon's solution, based on OpenSC-0.11.14's "dialog.c", I've > written a new > code (attached) that makes user consent configurable (at this moment for > DNIe code) > > What's your feelings on this? > > Thanks in advance > Juan Antonio > > > ------------------------------------------------------------------------ > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
