8 Replies Latest reply: Aug 23, 2013 6:57 AM by 4ndrew RSS

    Security domain with mandated dap privilege

    934613
      Can I delete a security domain having mandated dap privilege as per global platform .
        • 1. Re: Security domain with mandated dap privilege
          safarmer
          You should be able to delete a Supplementary Security Domain regardless of the privileges it was installed with if you can authenticate to the ISD.

          Have you tried this? Did you get an error? What card are you using?

          Shane
          • 2. Re: Security domain with mandated dap privilege
            801926
            Hmm, don't think so. An SSD with plain or mandated DAP is meant not to be deleted by the ISD. Otherwise it beats the purpose of a Service Provider or Controlling Authority representative on the SE if the ISD can tamper with it. Only an SSD instance without any privileges (besides SSD) shall be deletable.
            • 3. Re: Security domain with mandated dap privilege
              safarmer
              You are most likely correct as usual :) I don't have a card I could test this on so that was based on an assumption on my part. I can see valid use cases where removing would be necessary but as you say it also has use cases where allowing it is a bad idea.

              Shane
              • 4. Re: Security domain with mandated dap privilege
                801926
                You can use JCOP simulator to test it. In the specification it's mentioned in the banking configuration of GP 2.2.
                • 5. Re: Security domain with mandated dap privilege
                  safarmer
                  lexdabear wrote:
                  You can use JCOP simulator to test it. In the specification it's mentioned in the banking configuration of GP 2.2.
                  Thanks for the tip. I will check it out.
                  • 6. Re: Security domain with mandated dap privilege
                    934613
                    Yes , I had tried it returns 6985 status word and I think this is right bcz as per GP2-1-1 and 2-2 mapping guidelines SD with dap privilege not getting deleted and return the same status word
                    • 7. Re: Security domain with mandated dap privilege
                      safarmer
                      safarmer wrote:
                      lexdabear wrote:
                      You can use JCOP simulator to test it. In the specification it's mentioned in the banking configuration of GP 2.2.
                      Thanks for the tip. I will check it out.
                      The JCOP emulator I have does not seem to support GP 2.2. I will ask around to see if anyone here has spoken to NXP about a newer version.

                      Shane
                      • 8. Re: Security domain with mandated dap privilege
                        4ndrew

                        Hi,

                         

                        I have the same problem. I created a SSD with mandated DAP, now I can not delete it. I have a JCOP card and the following so far:

                         

                        Card Manager AID   :  A0000001510000

                        Card Manager state :  OP_READY

                         

                         

                            Sec. Domain:PERSONALIZED (SVE----M) A000000004000001

                            Sec. Domain:PERSONALIZED  (SV-----M) A000000004000002

                            Load File  :                    LOADED (--------) A0000000035350   (Security Domain)

                             Module    :                                             A0000001510000

                             Module    :                                             A000000003535041

                             Module    :                                             A0000000030000

                         

                         

                        As you can see both A000000004000001 and A000000004000002 have mandated DAP privilege. Now I can not delete them.

                         

                         

                        cm>  delete A000000004000001

                        => 80 E4 00 00 0A 4F 08 A0 00 00 00 04 00 00 01 00    .....O..........

                        (195345 usec)

                        <= 69 85                                              i.

                        Status: Conditions of use not satisfied

                        jcshell: Error code: 6985 (Conditions of use not satisfied)

                         

                        Sadly I can not Load to them either. First I created the SSD with A000000004000001. Then I tried to LOAD a CAP with the appropriate load token and DAP(A000000004000001). It failed with 6985.

                        After that I instantiated a second SSD (because I realized that I can not delete the first one). I Tried to LOAD a CAP with the necessary DAP(A000000004000002) but it failed with 6985 as well. Now I'm stuck.

                         

                        Please tell me if there is any way to get rid of these SSDs. And besides what am I missing with the LOAD? Mandated DAP only means that if I try to load a CAP into a Security Domain with mDAP the CAP file has to have an appropriate DAP block, right? DAP meant if it exsits it will be checked but if there is no DAP provided it will pass.

                         

                        Many Thanks!

                         

                        -András