On 13.01.2011 18:23, Aventra wrote: > Hi, > >> From: opensc-devel-boun...@lists.opensc-project.org >> [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Viktor >> TARASOV >> Do you use the myeid.profile that is actually in the trunk? >> Normally you don't need SoPIN if you use it. The essentials CREATE, UPDATE >> acls reference the User PIN. >> In my tests with opensc tools (import PKCS#12, key generation) SOPIN was not >> needed for MyEID card. > Yes I agree that normally the SO-PIN is not needed, but I think we are > talking about different things now. > Somebody might want to protect the card more than others. At least in > Finland it is very common to have 3 PIN codes (basic, sign and so-pin), > and the SO-PIN protects these xDF files from deletion (not update of > course).
So, you are talking about profile that is more protected then the one that is actually in trunk. What do you think, will it be sufficient, during the card initialization, to create all xDF files that have 'CREATE' protected by SOPIN ? If yes, we don't need additional profile configuration option. If not, probably, we have to introduce some new profile configuration option like 'create-all-xdfs', or 'create-at-initialisation' option for every xDF file in profile, etc ... >>> It would be important if OpenSC would create the >>> entire structure defined in the myeid.profile. >> Agree in the case when 'CREATE' of the xDF files is protected by SOPIN. > I mean that I would like to have pkcs15-init create the entire pkcs#15 > structure defined in the profile, no matter what the ACL:s are. > Since other software doesn't know how to create these files if they don't > exist. You still need to create certificate files, data files, probably more ... They cannot have the same 'protected' ACLs as the xDFs. On 13.01.2011 16:43, Aventra wrote: >> >> From:opensc-devel-boun...@lists.opensc-project.org >> >> [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of >> >> Viktor TARASOV >> >> In your profile, do you have different 'CREATE' ACLs for xDF and object >> >> data (for ex. certificates) files? > > No these are the same. They cannot have the same 'protected' ACLs as the xDFs. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
