CSP Design - Working with several smartcards simultaneous

From: Alon Bar-Lev (alon_at_xor-t.com)
Date: 10/25/03

  • Next message: Christophe: "Re: Accepting a PKCS#7 on a computer where the private key is in the smart card and not in the REQUEST store."
    Date: Sat, 25 Oct 2003 12:48:03 +0200
    
    

    Hello MS CSP experts!

    We have a design questions regarding CSP when working with several
    smartcards simultaneous with the same CSP.

    Since there is no constraint on container name format/content, it is legal
    to have two smartcards with the same container name.

    The question is how to handle this situation.

    We did not find a specific and definite documentation regarding this issue,
    so we will be grateful if you can address this issue.

    We already implemented CryptAcquireContext with a container that can be in
    the following format: "\\.\\reader", so CryptGetProvParam with
    PP_ENUMCONTAINERS can enumerate containers only on specific smartcard.

    The problem is with the certificate store. If we attach the container name
    to the certificate, when the call to CryptAcquireContext will take place,
    the CSP will not be able to determine which card was referred.

    If we attach the full container name to the certificate
    "\\.\\reader\\container" the CSP will be able to determine which card was
    referred, BUT then we lost synchronization with the PP_ENUMCONTAINERS, since
    it should return only container name part.

    There is also a problem with putting the reader name in the store, since it
    does not support moving the same card from one reader to another and
    continue to work without interruption. In order to solve this we thought
    about having a new convention "\\#serial\\container", this will direct CSP
    to a specific smartcard serial.

    Questions:

      1.. What is Microsoft stand regarding handling two smartcards with the
    same container name simultaneous?
      2.. What is Microsoft stand regarding moving smartcard from one reader to
    another?
      If it should be done without interruption putting the reader name in the
    store is problematic (Although it is the only supported convention).
      3.. What format of container name should be attached to a certificate in
    the store?
      Does Microsoft recommend of attaching FQN of container name to a
    certificate in the store? ("\\.\\reader\\container")
      4.. Is it legal that PP_ENUMCONTAINERS returns container names that are
    different from those attached in the store?
      So applications cannot enumerate store and containers and perform match.
      5.. And most importantly, how will Microsoft Generic/Mini CSP will handle
    these dilemmas?

    Best Regards,

    Alon Bar-Lev


  • Next message: Christophe: "Re: Accepting a PKCS#7 on a computer where the private key is in the smart card and not in the REQUEST store."