On Sat, May 7, 2011 at 10:57 PM, Peter Stuge <pe...@stuge.se> wrote: > Alon Bar-Lev wrote: >> However, there are some advanced cards that can generate >> authentication token, so you can actually authenticate once using >> PIN get authentication token out of the card (many can be available >> at same time), then each transaction is authenticated using these >> tokens. This approach solves the PINPAD issue and BIO issues. > > And this works because the p11 library stores these cookies > associated with each "incoming" p11 user?
One to one corresponding with C_Login(). This also has the advantage of not locking the card when PIN is changed. If PKCS#11 library caches the PIN, and use it each time to perform card transactions. You have for example Firefox, OpenVPN, GnuPG running. You change the PIN via cmd-line, then each application attempts to sign, each bails out at 1st failure, but after the 3rd accumulative attempt the card is locked. To solve this, the PKCS#11 provider may use some file in /var/tmp to notify all instances when this event occurs so all instances may drop the current PIN. However, this will not work if one use remote sessions, such as remote desktop with PC/SC channel. The authentication cookie solves above, PINPAD, BIO efficiently, however it requires card to support it. You get a cookie out of PIN/PINPAD operation/BIO match. The cookie is valid as long as card is powered on and policy permits. Policy may state that once PIN is changed all cookies are invalidated or not. You may use the cookie instead of PIN in all object access operations, so you can use stateless transactions, while never lock the card by mistake, minimize the user interaction required during PINPAD/BIO operations. Alon. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
