Automatically verify cached pin and retry general auth on sw = 6982 #338
Conversation
|
Different approach to problems with always-auth keys - automatically verify cached pin and retry general-authenticate |
qpernil
changed the title
|
The trouble with this approach is that it is in the library, and hence affects all usage, not just piv-tool |
qpernil
changed the title
qpernil
force-pushed
the
auto-verify-cached-pin
branch
from
0801ef2
to
69a21a3
Compare
|
I like this approach very much, as it returns the decision whether to (re-)authenticate, back to where it belongs - to the token itself. |
qpernil
force-pushed
the
auto-verify-cached-pin
branch
from
69a21a3
to
f614661
Compare
|
I think this is probably the wrong approach after all, even if it happens to be very convenient and slots into the code very smoothly. It would essentially negate the intention with always-auth keys, with no way for the application to choose behaviour. |
|
It is the right approach of the user wants his app to behave this way. So, using cached PIN or not should be a configurable option. |
|
I think it is more in line with pkcs#11 that the application chooses what to do, after all there is support in pkcs11 to to it well from the application, either using the flag to preeemptively prompt, or to just automatically re-verify a pin it keeps in memory, or alternatively to base the behaviour on the return codes (and hope that different pkcs11 modules give the 'right' error code) |
qpernil
force-pushed
the
auto-verify-cached-pin
branch
from
f614661
to
c5d5e01
Compare
No description provided.