[SmartcardServices-Users] [Fed-Talk] Help tracing access to keys/certificates?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu Oct 29 13:19:03 PDT 2015
>> Shawn, how do I check and/or affect the policies on a given keychain wrt.
>> enforcing PIN re-entering upon every operation (or ideally, every signing
>> operation)?
>
> Ultimately, this is enforced by the corresponding Tokend, but by specification
> should come from the applet on the card. This has long been a problem with
> applets used on US Government cards not properly providing policies like this,
> so Apple had to take an approach of defaulting to allowing “Cached PIN” if not
> defined.
Shawn, could you please clarify for me what “Cached PIN” means in the
context?
Does it mean that the Keychain API assumes that once it passed the PIN to
the tokend, either tokend keeps (“caches”) the PIN for a while, or the token
itself stays “unlocked” for a while upon receiving the correct PIN?
Who decides how long that “for a while” lasts?
Is there a mechanism by which tokend can inform Keychain API that the
“cached for a while” is over and PIN must be re-entered? How does tokend
know whether the token expects a new PIN, or is happy with being unlocked “a
while ago”?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20151029/75a796a9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20151029/75a796a9/attachment.p7s>
More information about the SmartcardServices-Users
mailing list