Hi, > From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel- > > On 13.01.2011 16:43, Aventra wrote: > >> From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel- > boun...@lists.opensc-project.org] On Behalf Of Viktor TARASOV > >> > >> On 11.01.2011 13:32, Aventra development wrote: > >>> What do you think about the possibility that when a card is initialized > using pkcs15-init that it would create the whole structure that is defined in > the profile used. > >>> Currently it only creates the necessary files during initialization, but > not any private or public key DIR files etc, that are essential when actually > using the card. > >>> > >> It can be and, imho, has to be done. > >> There is no need of additional configuration option -- condition to create > xDF files during initialization is its 'CREATE' operation protected by SOPIN. > >> In your profile, do you have different 'CREATE' ACLs for xDF and object > data (for ex. certificates) files? > > No these are the same. > > Do you use the myeid.profile that is actually in the trunk? > Normally you don't need SoPIN if you use it. The essentials CREATE, UPDATE > acls reference the User PIN. > In my tests with opensc tools (import PKCS#12, key generation) SOPIN was not > needed for MyEID card.
Yes I agree that normally the SO-PIN is not needed, but I think we are talking about different things now. Somebody might want to protect the card more than others. At least in Finland it is very common to have 3 PIN codes (basic, sign and so-pin), and the SO-PIN protects these xDF files from deletion (not update of course). > > Debug logs will be sufficiently eloquent. > > > > It would be important if OpenSC would create the > > entire structure defined in the myeid.profile. > Agree in the case when 'CREATE' of the xDF files is protected by SOPIN. I mean that I would like to have pkcs15-init create the entire pkcs#15 structure defined in the profile, no matter what the ACL:s are. Since other software doesn't know how to create these files if they don't exist. Now a card initialized with OpenSC can only be used with OpenSC until all necessary files have been created. No point in creating dummy keys only to get the file structure created... Kind regards, Toni > > > > How about other cards, is the entire structure created when initializing > > them? > Some of them use 'one-pin' profile, other do not protect with SOPIN the > 'CREATE'/'UPDATE' operations of the 'essential' files. > > > > This issue does not affect OpenSC, because it can create the missing files, > > it is more about cross compatibility with other software that might know how > > to use the MyEID card (add certificate etc.) but will not create any PrKDF > > etc... > > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
