List Info

Thread: User Consent Keys
User Consent Keys
user name
 2006-11-14 18:21:08 
On Thu, 2006-10-26 at 11:05 -0500, Douglas E. Engert wrote:
> 
> I would hope you would never try to cache a pin
especially with
> a card like the one you describe:
> 
>    * If the card was issued such that you had to enter
the pin
>      before every signature, then you are violating the
policy
>      that the card is trying to enforce and you leave
the yourself
>      open to misuse of the card.
> 
>    * Newer card readers have a PIN pad so that the
host/application
>      will never see the PIN, and therefore the
application can not
>      cache it. These readers help avoid keyboard
sniffers, and
>      applications like yours that try and cache (i.e.
misuse the PIN).
> 
>    * The user is expecting that every time the card is
required
>      to do a signature, they will be notified and can
make the choice
>      of signing or not.
> 
> Maybe Thunderbird needs to make some changes too, to
abide by
> the policies that the card issuer and user are
expecting.
Hello, I've taken over the work that Justin Eylander was
doing and was
wondering if there's a flag that can be set in OpenSC to
have it ask for
the PIN for operations requiring user-consent.
In Thunderbird/Firefox, it seems that it will ask you to
enter your PIN
once to list certificates and then again when it does the
actual
signing.  With a JavaScript test I found that behavior...
haven't had a
chance to test email... but I assume it will be the same.
There IS an option that allows you to 'Log in' to the card
permanently,
and it gets rid of the certificate listing PIN entry.

As it stands now... I have to cache the PIN since there
seems to be no
way to initiate a user-consent PIN request properly...

As to how Thunderbird/Firefox might need to change... I see
that it
should be honoring any PKCS11 attributes that exist for the
user-consent
policy.. but I am not sure if there exists any such
attribute.
-- 
Thomas Harning Jr.
Authentication Engineer  Identity Alliance

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )