Hi, > -----Original Message----- > Subject: Re: [opensc-devel] --insecure ? > > Il 26/04/2011 08:41, Martin Paljak ha scritto: > > > problem is that it is not equally supported by card drivers and always > > not well supported by applications (which insist on using C_Login > > before any operations, disregarding CKF_LOGIN_REQUIRED) > That's an app bug and to be reported as such. Trying to "fix" it at the > wrong level doesn't do any good. But, for example, ssh doesn't require > it unless the key is protected (but then it leaves the card in unusable > state). > But generating a protected key when --insecure is specified is a bug in > opensc (or in the card driver). IMHO. > Since you used --insecure, can you confirm that its misbehaviour is only > for MyEID cards?
I think that this feature is just missing from the drivers code. Can you Martin say which card you have used the --insecure option with? This could help find the missing code (for us that that are not that familiar with the OpenSC code structure and all that :). > >> I don't know quite well the world of 'controlled/trusted environment', > >> my interest is rather to administrate the card through the > >> 'uncontrolled/untrusted' environment. > > That's a good philosophical difference. IMO the default "security > > officer" profile of OpenSC is not OK for home users either and the > > default could be onepin profile. > Well, I think that at least two PINs are always a good idea: one for > *use* and one for *administration*, so the user is forced to know he's > doing something dangerous. If he doesn't like to remember'em, then he > could simply use the same code for both. But having only one is, IMVHO, > a really bad idea, just like using 'root' for browsing the web. I agree. Also a very common scenario is to have 3 PINs, one for normal use, one for signatures (PIN is reset after every use, so user need to enter PIN explicitly for every signature) and one for administration. Kind regards, Toni > BYtE, > Diego. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
