Le 14/06/2011 15:17, Douglas E. Engert a écrit : > > > On 6/14/2011 2:58 AM, Viktor Tarasov wrote: >> No, >> I have pre-allocated key slots, where only keys with the restricted usage >> can be placed. > > Are there different user PINs for each requires a PKCS#11 slot? > Most of the following is assuming only one user PIN, and it applies to > both of your keys. > > The card I am most familiar with is the PIV card, with 4 primary certificates > and keys > but with only one user PIN, and thus uses only one slot: > > Certificate Key x509 keyUsage Other attributes > for PIV Authentication 9A Digital Signature msLogin, msUPN > for Digital Signature 9C Digital Signature+NonRepudiation, E-mail > for Key Management 9D Key Encipherment Email > for Card Authentication 9E Digital Signature (card authenticates itself, > no PIN) > > The 9A key is used for authentication by browsers, and login once the PIN is > entered once. > The 9C key is used for signing e-mail and requires the PIN immediately before > each use, > and is enforced by the card and the pkcs15-piv.c code sets the > CKA_ALWAYS_AUTHENTICATE. > Thunderbird can handle the CKA_ALWAYS_AUTHENTICATE. > > So what I am reading, is your 'signature' is like the 9A key, and your > 'qualified signature' is like the 9C key? > > The point I am trying to make, is that it might be possible to not need extra > flags > but using the CKA_ID value to indicate its a 'qualified signature' key, > or
> you might be able to pass in the CKA_ALWAYS_AUTHENTICATE to your generate key > routine, to indicate to create a 'non-repudiation' key. That could be solution! Thank you. Effectively, using of the non-repudiation key is (usually) protected by a dedicated 'one-time' PIN. The CKA_ALWAYS_AUTHENTICATE (together with mandatory CKA_SIGN) attribute in the key 'create-object' template, can be considered as an equivalent to the 'nonRepudiation' flag in PKCS#15 . So, if no objections, in the framework-pkcs15 I will set the 'nonRepudiation' PKCS#15 flag, if the key 'create-object' template contains the CKA_ALWAYS_AUTHENTICATE and CKA_SIGN attributes. Thus there is no more need of the vendor specific attribute. Kind regards, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
