[opensc-devel] Do smart card drivers generally support more than one PKCS#11 session?
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Jun 15 14:28:42 PDT 2011
On 06/13/2011 11:11 AM, Stef Walter wrote:
> On 06/10/2011 07:08 PM, Martin Paljak wrote:
>> On Jun 10, 2011, at 13:11 , Stef Walter wrote:
>>> After sleeping on this idea, I realized it won't work in certain
>>> cases. In particular when the key has CKA_ALWAYS_AUTHENTICATE
>>> and requires C_Login with CKU_CONTEXT_SPECIFIC.
>> This is hardly the case with SSL.
>>
>> CKA_ALWAYS_AUTHENTICATE in OpenSC context for example is only set
>> for keys that require "user consent" or usually are used for
>> "nonrepudiation". Most cards I've seen can use authentication keys
>> once the cardholder is verified until the card is reset or
>> removed.
>>
>> Using such card with a pinpad reader would be impossible for web
>> authentication, you'd be typing the PIN most of the time
> Since the PKCS#11 URI's say that the pinfile attribute of the URI
> can be determined by the application, we can build something simple
> in p11-kit and register callbacks so that one component (in the same
> process) can provide the pin for another (like gnutls).
I didn't like the pinfile attribute of pkcs11-urls much, because its
semantics are undefined. I see it as an option that could cause
compatibility issues between libraries using URLs. That's why I have
ignored it so far. Are there other alternatives to solve the issue at hand?
regards,
Nikos
More information about the p11-glue
mailing list