Hi, > From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Viktor TARASOV > > On 13.01.2011 18:23, Aventra wrote: > > Hi, > > > >> From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel- > boun...@lists.opensc-project.org] On Behalf Of Viktor TARASOV > >> Do you use the myeid.profile that is actually in the trunk? > >> Normally you don't need SoPIN if you use it. The essentials CREATE, UPDATE > >> acls reference the User PIN. > >> In my tests with opensc tools (import PKCS#12, key generation) SOPIN was > not needed for MyEID card. > > Yes I agree that normally the SO-PIN is not needed, but I think we are > > talking about different things now. > > Somebody might want to protect the card more than others. At least in > > Finland it is very common to have 3 PIN codes (basic, sign and so-pin), > > and the SO-PIN protects these xDF files from deletion (not update of > > course). > > So, you are talking about profile that is more protected then the one that is > actually in trunk.
Anybody can change the profile if they want to. We have defined a default profile for MyEID that suits common cases. > What do you think, will it be sufficient, during the card initialization, > to create all xDF files that have 'CREATE' protected by SOPIN ? What I mean is that OpenSC would create the whole structure defined in the profile, regardless of the ACL:s. I know that the driver can do this by itself, but why not implement it to OpenSC so that it would work for all cards? One thing it could do, is to check when initialization is done each of the known identifiers (PrKDF, PuKDF, CDF..), if these have been defined in the profile, it would create them. One additional feature that is lacking from OpenSC is that it does not create the PIN codes automatically (except the SO-PIN). > If yes, we don't need additional profile configuration option. > > If not, probably, we have to introduce some new profile configuration option > like 'create-all-xdfs', > or 'create-at-initialisation' option for every xDF file in profile, etc ... I don't see why this structure could't always be created, without any new configuration options. After all, the profile defines the desired structure. For me, card initialization means that after it has been done, the card can be used without any further creation of the structure (xDF files and other that describe the content of the card). At first these files would be empty of course. > >>> It would be important if OpenSC would create the > >>> entire structure defined in the myeid.profile. > >> Agree in the case when 'CREATE' of the xDF files is protected by SOPIN. > > I mean that I would like to have pkcs15-init create the entire pkcs#15 > > structure defined in the profile, no matter what the ACL:s are. > > Since other software doesn't know how to create these files if they don't > > exist. > > You still need to create certificate files, data files, probably more ... > They cannot have the same 'protected' ACLs as the xDFs. > > > On 13.01.2011 16:43, Aventra wrote: > > >> >> From:opensc-devel-boun...@lists.opensc-project.org [mailto:opensc- > devel-boun...@lists.opensc-project.org] On Behalf Of Viktor TARASOV > >> >> In your profile, do you have different 'CREATE' ACLs for xDF and object > data (for ex. certificates) files? > > > No these are the same. > > They cannot have the same 'protected' ACLs as the xDFs. Yes, I understand that there is no point in protecting e.g. a certificate with SO-PIN. Kind regards, Toni _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
