On 4/28/2011 3:37 AM, Toni Sjoblom - Aventra wrote: > Hello! > >> -----Original Message----- >> Subject: Re: [opensc-devel] --insecure ? >> >> Il 28/04/2011 09:05, Toni Sjoblom - Aventra ha scritto: >> >>> I agree. Also a very common scenario is to have 3 PINs, one for normal > use, >>> one for signatures (PIN is reset after every use, so user need to enter > PIN >>> explicitly for every signature) and one for administration. >> How can you tell that a PIN is actually a "signature PIN" that must not >> be cached? Really enorcing "re-enter PIN" policy could be done only if >> keyboard was on card (seen some prototypes online, w/ a display, too... >> but never seen 'em in shops :( ), but making card "forget" it + >> "hinting" driver not to cache it could often work well enough. > > Don't know how this could be done for OpenSC, since it caches PIN codes. > Sometimes this is an issue, because e.g. if you are signing something > (legally binding stuff), the signature should explicitly be done by the > person, requiring the user to enter the PIN for each signature. > > After successful PIN verification smart cards usually keep PIN as verified > until it is reset, but in some cases this is not desired. > When using MyEID cards, the private key and or PIN can be set up on the card > so, that the specified PIN is immediately reset after usage. > > This is something called "User Consent", and is a common standardized > feature. MyEID supports this but I don’t know if OpenSC does.
Yes, see the user_consent flag. At least 5 cards support this, and ./libopensc/pkcs15-pin.c will not cache the pin and write debug message "caching refused (user consent)" > The OpenSC PIN cache should take this into account when caching PINs and > somehow it should be possible to create PINs or keys that have this flag > set. > > Br, > Toni > > >> BYtE, >> Diego. > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
