Middleware configuration

Middleware configuration can be accessed from the "Configuration" tab (cogwheel icon) of the Smart Card Manager tool:

../_images/configuration.png

PKCS#11 interface

This option configures how the signature PIN is entered via the PKCS#11 interface. Three choices are available:

  • Standard mode: this is the mode defined by the PKCS#11 standard. The signature PIN is managed by the application, which can decide when the PIN is verified, when it is invalidated, etc... PIN entry is also carried out by the application, through its own user interface.

  • Automatic without PIN cache: in this mode, the middleware simulates the absence of a PIN for objects linked to signature PINs. Since the application has no knowledge of a PIN for these objects, it will not present any entries itself. It is the middleware that presents its own input box when a signature actually needs to be made. This is the default mode when the middleware is installed. This mode solves user interface sequencing problems for applications that have no use for signature keys, and which present the input box prematurely (typically Firefox).

  • Automatic with PIN cache: this mode is similar to the previous one, but the PIN is cached to avoid repeated entries when signing several documents in succession, in case the key container imposes non-repudiation. The PIN cache is local to PKCS#11, and lasts only as long as the session with the token.

Note: this choice only concerns the management of the signature PIN. The user's normal PIN is not affected by this configuration. Normal PIN operation is always the standard mode.

Windows interface

This option configures how applications using Windows interfaces (CryptoAPI) will use the middleware:

  • MiniDriver without PIN cache: in this mode, applications use the middleware through the Smart Card Minidriver (Microsoft CNG). Under these conditions, PIN entry is performed by the OS or by the application. The middleware declares the PIN with a "normal" policy: the PIN is therefore not cached by the OS and is requested again for each signature (generally causing annoying PIN entry requests when browsing sites requiring SSL client authentication).

  • MiniDriver with PIN cache during an applicative session: applications use the middleware through the Smart Card Minidriver (Microsoft CNG). The middleware declares the PIN with a "timed" policy: this causes the OS to cache the PIN for the duration of the applicative session.

  • CSP without PIN cache: Applications use the middleware through the CSP. The PIN is requested through the middleware's input interface (the CSP interface does not have the ability to let the application control the PIN). No PIN cache is performed, but the middleware tries to keep the validated state of the PIN while a context remains opened.