On Wed, Jun 15, 2011 at 12:14 PM, Viktor Tarasov <viktor.tara...@gmail.com> wrote: > Douglas proposed to associate the CKA_ALWAYS_AUTHENTICATE together with > CKA_SIGN attributes on the PKCS#11 side, > with the 'nonRepudiation' flags on the PKCS#15 side. > Imho, it's legitimate solution -- 'ALWAYS_AUTHENTICATE' is quite close to the > 'nonRepudiation'.
It is not the same. Better is the vendor attribute, no guessing or ugly mapping is required. Anyway, as there is no 1:1 PKCS#11->PKCS#15 we just defer the problem to the next missing attribute. Dropping the PKCS#15 interface (libopensc) in favor of PKCS#11 limits the functionality (enroll process). In order to make it simpler, maybe single vendor attribute of CKA_OPENSC_PKCS15_ATTRS should be added, with name=value;name=value; format, so without changing the interface people will be able to specify PKCS#15 attributes during enroll process. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
