[opensc-devel] About OpenSC PKCS#11

Wed, 09 Nov 2011 09:39:53 -0800 

Hello,

I would like to 'touch' the PKCS#11 module of OpenSC and looking for your 
opinions/suggestions about:
- removing of 'pkcs15init' framework;
- configurable support of the multi on-card applications and multi-pins;
- removing the 'one-pin' version of pkcs#11 module (or rather replacing it with 
particular case of the configuration);
- no separate slot for public objects.


The proposed PKCS#11 configuration concerns creating of slots, its 
authentication objects and its content.
Possibilities are:

  - 'all' -- actual behavior -- slot for every non-sopin, non-unblock PINs and 
optionally for PUK;
    All public objects in the limit of one on-card application are associated 
to the first 'User PIN' slot.

  - combinations of symbolic PIN names: 'user', 'sign' and 'application', where 
important combination are:

  -- if only 'user' (one-pin) used, the unique slot will contains private 
objects from the all on-card applications
     which are protected by corresponding card's PIN. (In the multi-application 
cards, the same global card's PIN could be
     referenced by the pkcs#15 'authentication' object from more then one 
on-card application).
Other private objects are not visibles (For ex. the ones protected by SignPIN).
     To this slot also added all public objects from the all on-card 
applications.
     (This configuration is suitable for FF).

-- 'user' + 'sign' -- the same as previous with exception that second slot is 
created for the
     private object protected by 'sign' PIN and this object's public 'friends'.
     (This configuration could be useful for FF, and Thunderbird).

-- 'application' -- one slot per on-card application. So that there is the 
possibility to differentiate
    the  on-card application with the PKCS#11 API. (Equivalent of the '--aid' 
option in the pkcs15(init) tools).
    (This configuration mostly for initializing of the on-card applications 
with the PKCS#11 API.)

-- 'application' + 'sign' the same as 'all' without optional slot for PUK.


Kind wishes,
Viktor.
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to