[opensc-devel] Do smart card drivers generally support more than one PKCS#11 session?
martin at martinpaljak.net
Fri Jun 10 10:08:55 PDT 2011
On Jun 10, 2011, at 13:11 , Stef Walter wrote:
> On 06/09/2011 09:37 PM, Stef Walter wrote:
>> I'm working on integrating smart card support via PKCS#11 into glib and
>> gcr (part of gnome-keyring). We're integrating with GnuTLS for TLS support.
>> I'd like to be able to do a C_Login in my code, and then pass off the
>> URL to Gnutls. GnuTLS would then open another session, recognize that
>> we're already logged in (this may need a slight tweak in the gnutls
>> code) and then proceed without prompting the user.
> After sleeping on this idea, I realized it won't work in certain cases.
> In particular when the key has CKA_ALWAYS_AUTHENTICATE and requires
> C_Login with CKU_CONTEXT_SPECIFIC.
This is hardly the case with SSL.
CKA_ALWAYS_AUTHENTICATE in OpenSC context for example is only set for keys that require "user consent" or usually are used for "nonrepudiation".
Most cards I've seen can use authentication keys once the cardholder is verified until the card is reset or removed.
Using such card with a pinpad reader would be impossible for web authentication, you'd be typing the PIN most of the time.
More information about the p11-glue