[opensc-devel] Do smart card drivers generally support more than one PKCS#11 session?

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jun 15 14:28:42 PDT 2011

On 06/13/2011 11:11 AM, Stef Walter wrote:
> On 06/10/2011 07:08 PM, Martin Paljak wrote:
>> On Jun 10, 2011, at 13:11 , Stef Walter wrote:
>>> After sleeping on this idea, I realized it won't work in certain
>>>  cases. In particular when the key has CKA_ALWAYS_AUTHENTICATE
>>> and requires C_Login with CKU_CONTEXT_SPECIFIC.
>> This is hardly the case with SSL.
>> CKA_ALWAYS_AUTHENTICATE in OpenSC context for example is only set 
>> for keys that require "user consent" or usually are used for 
>> "nonrepudiation". Most cards I've seen can use authentication keys
>>  once the cardholder is verified until the card is reset or 
>> removed.
>> Using such card with a pinpad reader would be impossible for web 
>> authentication, you'd be typing the PIN most of the time
> Since the PKCS#11 URI's say that the pinfile attribute of the URI
> can be determined by the application, we can build something simple
> in p11-kit and register callbacks so that one component (in the same
>  process) can provide the pin for another (like gnutls).

I didn't like the pinfile attribute of pkcs11-urls much, because its
semantics are undefined. I see it as an option that could cause
compatibility issues between libraries using URLs. That's why I have
ignored it so far. Are there other alternatives to solve the issue at hand?


More information about the p11-glue mailing list