On 6/14/2011 11:56 AM, Viktor Tarasov wrote: > Le 14/06/2011 17:05, Douglas E. Engert a écrit : >> On 6/14/2011 9:18 AM, Alon Bar-Lev wrote: >>> On Tue, Jun 14, 2011 at 5:15 PM, Viktor Tarasov >>> <viktor.tara...@gmail.com> wrote: >>>> So, if no objections, >>>> in the framework-pkcs15 I will set the 'nonRepudiation' PKCS#15 flag, if >>>> the key 'create-object' template contains the CKA_ALWAYS_AUTHENTICATE and >>>> CKA_SIGN >>>> attributes. Thus there is no more need of the vendor specific attribute. >>> But this is procedural. >>> How can you enforce ALWAYS_AUTHENTICATE on something of your procedure? >>> Maybe laws in other countries enables authenticate once in X minutes? >> As I understand it, the intent is to pass in some information when creating >> the key, not necessarily when it is used. >> >> The related question: >> Viktor, does your card do anything with the nonRepudiation flag when a >> sign operation is done? > > > Yes, it reset the 'verified' flag of the authentication object, that protects > the key. > Here is the 'always-authenticate' behavior. > > Normally, nonRepudiation flag is applicated only for the 'c.d.signature' > operation > (not for the other two ones -- 'authenticate' and 'decrypt'). > > That's why I proposed to associate (CKA_ALWAYS_AUTH && CKA_SIGN) and > 'nonRepudiation'. > > > > Another, imho, the most neutral solution could be > to introduce a ALWAYS_AUTHENTICATE flag(member) into the internal > 'sc_pkcs15init_prkeyargs' and 'sc_pkcs15_prkey_info' data types, > to set this flag if template contains the CKA_ALWAYS_AUTH , > and to transfer to the card specific part the decision to associate > (CKA_ALWAYS_AUTH && CKA_SIGN) with 'nonRepudiation' . > > In this case the 'nonRepudiation' is not need to be managed in the common > pkcs11 and framework-pkcs15 parts.
This is sounding better, as you have a profile for your type of card, and thus the changes only apply to your card (or other cards if their profile is also modified.) But as I said, I am not an expert on the PKCS#15 profiles. > > > >> (The PIV actually has an internal bit that is set to 1 after a verify pin >> operation and set to 0 after every other operation. So if a sign operation >> using 9C key will only be allowed if the bit is 1.) >> >> Does any PKCS#15 card support such a bit, and thus require a PKCS#11 >> CKA_ALWAYS_AUTHENTICATE attribute? >> >> As far as I know, AFAIK CKA_ALWAYS_AUTHENTICATE was added after 2004 >> and was not a concept in the original PKCS#15 Is it in ISO/IEC 7816-15 >> keyUsageFLAGSs or keyAccessFlags? > > > Afais, there is no equivalent in PKCS#15 . > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
