[SmartcardServices-Users] [Fed-Talk] Help tracing access to keys/certificates?
Miller, Timothy J.
tmiller at mitre.org
Fri Oct 30 13:30:38 PDT 2015
> The way I understand your response, if the card is recognized as a PIV token -
> then the "tokend framework" (whatever it is) should know to prompt for a
> PIN at every DSK operation, without any extra "nudging".
Pretty much. If you don't send VERIFY in the APDU immediately prior to the DSK operation, the PIV card applet should return an error (I don't have 800-73 in front of me, but you can look up the error). The tokend then handles that error. That's all integral to the PIV card data model.
Non-conformance can happen at both ends, but I'm relatively certain that PIV.token and PKard.tokend are conformant (no offense to Sean or Paul :). Yubi's PIV applet is possibly suspect, not having been certified, but you know you can download NIST's PIV data model test tools, right?
http://csrc.nist.gov/groups/SNS/piv/download.html
I'd be more apt to believe a bug in Mail or securityd, however.
-- T
More information about the SmartcardServices-Users
mailing list