listing certs/keys requires login? pam_pkcs11 internals... [u]

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

listing certs/keys requires login? pam_pkcs11 internals... [u]

Andreas Jellinghaus-2
Hi,

does listing certificates or keys require a login?

I'm asking because I took a look at pam_pkcs11:
it firsts asks my for my pin, and then gets the
list of all certs and keys and checks if any
of them is ok for authentication.

I don't like this. The software should protect
my pin and do that by never asking me to enter
it, unless it realy needs it. with this mechanism,
if I mistype the userrname, it will still ask me
for my pin, even if there is no way I will be able
to login with this card to that user. I think this
is wrong.

However I don't know pkcs#11 well, so I wonder:
can we get a list of certificates and keys without
having the pin, or will some cards keep the certificate
secret without it?

David, can you comment how musclcard pkcs#11 works?
Will it show the certificates without a login?

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: listing certs/keys requires login? pam_pkcs11 internals... [u]

David Corcoran-2
Hi,

I believe the MuscleCard P11 will list certificates before requiring a
PIN.  I'm not sure if this is the correct behavior, but I think we had to
do this when we were making it work with real early versions of Netscape /
Mozilla .....  I agree that the pin should not be requested unless
absolutely necessary ....

Thanks,
Dave

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: listing certs/keys requires login? pam_pkcs11 internals... [u]

Stef Hoeben
In reply to this post by Andreas Jellinghaus-2
Hi,

this issue keeps popping up, see the "PIN not always requested?"
thread from this month, and
http://opensc.org/pipermail/opensc-devel/2005-February/005568.html

To summarize: our pkcs11 doesn't list private keys objects before a
PIN login, the musclecard pkcs11 does. The pkcs11 standard seems
to say it's necessary (but personally I'm not sure it realy does) and the
Mozilla family always does a PIN login.

A work-around is to list the certs (works without PIN login) and
assume that each user cert has a corresponding private key with
the same ID (99% chance that it works).

Cheers,
Stef

Andreas Jellinghaus [c] wrote:

>Hi,
>
>does listing certificates or keys require a login?
>
>I'm asking because I took a look at pam_pkcs11:
>it firsts asks my for my pin, and then gets the
>list of all certs and keys and checks if any
>of them is ok for authentication.
>
>I don't like this. The software should protect
>my pin and do that by never asking me to enter
>it, unless it realy needs it. with this mechanism,
>if I mistype the userrname, it will still ask me
>for my pin, even if there is no way I will be able
>to login with this card to that user. I think this
>is wrong.
>
>However I don't know pkcs#11 well, so I wonder:
>can we get a list of certificates and keys without
>having the pin, or will some cards keep the certificate
>secret without it?
>
>David, can you comment how musclcard pkcs#11 works?
>Will it show the certificates without a login?
>
>Regards, Andreas
>_______________________________________________
>opensc-devel mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
>
>  
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel