Created attachment 984374 [details] Patch opensc.spec to configure with --enable-dnie-ui Description of problem: To use Spanish DNIe (National Identification Card) is necessary to write a PIN. opensc must be configure/compile with "--enable-dnie-ui" to show the box where to write this PIN. Attached a patch for opensc.spec. Version-Release number of selected component (if applicable): opensc-0.14.0 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I'm curious. All smart cards require a PIN; why does this PIN require a special UI? Doesn't the PIN entry work without the UI, if for example you use the card with pkcs11-tool?
(In reply to Nikos Mavrogiannopoulos from comment #1) > I'm curious. All smart cards require a PIN; why does this PIN require a > special UI? Doesn't the PIN entry work without the UI, if for example you > use the card with pkcs11-tool? Really, I am not aware of the intricacies of the card. From forums about OpenDNIe I translate: without --enable-dnie-ui non-repudiation signatures will be done without the supplementary confirmation.
So do these signatures work if compiled without that option? As I understand from your description, this is a yes, even though there is no additional dialog. In that case, I am not sure we should enable that flag in fedora because we ship no consent application required by that flag, and technically there is not much of security there. One can simply use an opensc library without that option to remove the UI requirement.
OK. I can rebuild opensc for my personal use.
Please don't close it as easily. I'm trying to understand what is the issue. If possible please answer the questions in comment #3.
(In reply to Nikos Mavrogiannopoulos from comment #3) > So do these signatures work if compiled without that option? As I understand > from your description, this is a yes, even though there is no additional > dialog. In that case, I am not sure we should enable that flag in fedora > because we ship no consent application required by that flag, and > technically there is not much of security there. One can simply use an > opensc library without that option to remove the UI requirement. You are right. I shouldn't have opened this bug. I read about the UI requirement and is not a technical one but a political one. It seems the card issuer requires that this supplementary confirmation was embedded in the driver. So, every time you sign a document, you have to "OK|Cancel" this extra confirmation. For example, suppose you use DNIe to sign your messages in Thunderbird. Without the option, the first time that Thunderbird signs a message will ask you for the PIN and since then every new message will be signed without your awareness/intervention. With the option, the first time that Thunderbird signs a message will ask you for the PIN and with every new message you will have to "OK|Cancel" this extra confirmation to sign it. So you couldn't say that the program has signed the message/document without your awareness.
Ok, thank you. I'll close the bug in that case for the reasons stated above.