On Mon, 2010-11-01 at 21:35 +0000, Mr Dash Four wrote:
> > It's completely hidden, for sure. Without login, you cant decided, if
> > there are private objects on the token or not.
> >   
> True, after testing it earlier there is nothing there to see - it is as 
> if the token does not exist (rightly so, I think).
> 
> 
> >> I have to think about what other/better alternatives I have as executing 
> >> "pkcs11-tool -O" and filtering the output seems to me a bit clumsy.
> >>     
> >
> > You could write public readable meta data to the token. I.e. a object
> > where all the IDs of private objects are stored. But this requires
> > synchronisation on every create/delete operation.
> >   
> Actually, having thought about it again, I think it makes sense that 
> without proper authorisation there shouldn't even be a hint that this 
> object exists. In which case I will have to implement just two modes - 
> 'public' or 'private' - and leave it at that.
> 
> As an aside question: when I create a data token I could specify 
> "--auth-id" (I normally chose "--auth-id=01" if I need that data token 
> to be private), which, to me, implies that I could register more than 
> one "auth-id".

Do you use auth-id with pkcs15-init? If true, then you could specify
more than one. Each auth-id correlates to an authentication object,
which in turn defines a protection domain and has its own PIN. But the
PKCS#11 API maps each protection domain to a different token.

Compare output of "pkcs15-tool -D" and "pkcs11-tool -L".

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to