On Oct 30, 2015, at 16:30 , Miller, Timothy J. <tmiller@mitre.org> wrote:
... If you don't send VERIFY in the APDU immediately prior to the DSK operation, the PIV card applet should return an error (I don't have 800-73 in front of me, but you can look up the error).  The tokend then handles that error.  That's all integral to the PIV card data model.  

OK, and that’s what NEO seems to require!

Non-conformance can happen at both ends, but I'm relatively certain that PIV.token and PKard.tokend are conformant (no offense to Shawn or Paul :).  Yubi's PIV applet is possibly suspect, not having been certified,

OK, but if Yubi refuses to work without a PIN, and the PIN is not sent to it and the user is not prompted for for a PIN - how can Yubi be a suspect in this particular case? 

but you know you can download NIST's PIV data model test tools, right?  

http://csrc.nist.gov/groups/SNS/piv/download.html

I will download it - though I suspect it requires Windows, which would make my ability to try it rather unlikely…

I'd be more apt to believe a bug in Mail or securityd, however.

I’m in complete agreement here. :-)
--
Uri Blumenthal
uri@mit.edu