On 03/08/2011 19:40, helpcrypto helpcrypto wrote:
>> Well... The user should be responsible for selecting the "best" slot.
>> That IMHO shouldn't be a "slot" in the first place, but just a
>> certificate. The browser should only filter certs so that only
>> acceptable ones are proposed to the user.
> Thats what actually is done, isnt it? At least, after the pin request,
> a window with certs is shown to select one...
Yes. But in my head it should work the other way around: ask for the PIN
only if no suitable object is found. If user wants to use a private
object, he must authenticate first.
>> If an object isn't accessible ('cause it's marked private), it should
>> user's responsibility to login w/ the correct credentials first.
> The NSS should detect the flag, and if needed, call C_Login or do the
> operations needed. Sometimes the object is not extractable from the
> smartcard, so it depends.
Usually just private (or secret) keys are unextractable.
> Maybe the PIN should be cached cause sometimes card can be reset
> between calls, and that loose the security access.
Unless the object is marked for user consent.
> Thats the reason why spanish ID its requesting the PIN all the time(?)
Probably 'cause it's for signature, so it's marked user-consent
(uncacheable).
BYtE,
Diego.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
