This discussion is archived
8 Replies Latest reply: Aug 23, 2013 4:57 AM by 4ndrew RSS

Security domain with mandated dap privilege

934613 Newbie
Currently Being Moderated
Can I delete a security domain having mandated dap privilege as per global platform .
  • 1. Re: Security domain with mandated dap privilege
    safarmer Expert
    Currently Being Moderated
    You should be able to delete a Supplementary Security Domain regardless of the privileges it was installed with if you can authenticate to the ISD.

    Have you tried this? Did you get an error? What card are you using?

    Shane
  • 2. Re: Security domain with mandated dap privilege
    801926 Explorer
    Currently Being Moderated
    Hmm, don't think so. An SSD with plain or mandated DAP is meant not to be deleted by the ISD. Otherwise it beats the purpose of a Service Provider or Controlling Authority representative on the SE if the ISD can tamper with it. Only an SSD instance without any privileges (besides SSD) shall be deletable.
  • 3. Re: Security domain with mandated dap privilege
    safarmer Expert
    Currently Being Moderated
    You are most likely correct as usual :) I don't have a card I could test this on so that was based on an assumption on my part. I can see valid use cases where removing would be necessary but as you say it also has use cases where allowing it is a bad idea.

    Shane
  • 4. Re: Security domain with mandated dap privilege
    801926 Explorer
    Currently Being Moderated
    You can use JCOP simulator to test it. In the specification it's mentioned in the banking configuration of GP 2.2.
  • 5. Re: Security domain with mandated dap privilege
    safarmer Expert
    Currently Being Moderated
    lexdabear wrote:
    You can use JCOP simulator to test it. In the specification it's mentioned in the banking configuration of GP 2.2.
    Thanks for the tip. I will check it out.
  • 6. Re: Security domain with mandated dap privilege
    934613 Newbie
    Currently Being Moderated
    Yes , I had tried it returns 6985 status word and I think this is right bcz as per GP2-1-1 and 2-2 mapping guidelines SD with dap privilege not getting deleted and return the same status word
  • 7. Re: Security domain with mandated dap privilege
    safarmer Expert
    Currently Being Moderated
    safarmer wrote:
    lexdabear wrote:
    You can use JCOP simulator to test it. In the specification it's mentioned in the banking configuration of GP 2.2.
    Thanks for the tip. I will check it out.
    The JCOP emulator I have does not seem to support GP 2.2. I will ask around to see if anyone here has spoken to NXP about a newer version.

    Shane
  • 8. Re: Security domain with mandated dap privilege
    4ndrew Newbie
    Currently Being Moderated

    Hi,

     

    I have the same problem. I created a SSD with mandated DAP, now I can not delete it. I have a JCOP card and the following so far:

     

    Card Manager AID   :  A0000001510000

    Card Manager state :  OP_READY

     

     

        Sec. Domain:PERSONALIZED (SVE----M) A000000004000001

        Sec. Domain:PERSONALIZED  (SV-----M) A000000004000002

        Load File  :                    LOADED (--------) A0000000035350   (Security Domain)

         Module    :                                             A0000001510000

         Module    :                                             A000000003535041

         Module    :                                             A0000000030000

     

     

    As you can see both A000000004000001 and A000000004000002 have mandated DAP privilege. Now I can not delete them.

     

     

    cm>  delete A000000004000001

    => 80 E4 00 00 0A 4F 08 A0 00 00 00 04 00 00 01 00    .....O..........

    (195345 usec)

    <= 69 85                                              i.

    Status: Conditions of use not satisfied

    jcshell: Error code: 6985 (Conditions of use not satisfied)

     

    Sadly I can not Load to them either. First I created the SSD with A000000004000001. Then I tried to LOAD a CAP with the appropriate load token and DAP(A000000004000001). It failed with 6985.

    After that I instantiated a second SSD (because I realized that I can not delete the first one). I Tried to LOAD a CAP with the necessary DAP(A000000004000002) but it failed with 6985 as well. Now I'm stuck.

     

    Please tell me if there is any way to get rid of these SSDs. And besides what am I missing with the LOAD? Mandated DAP only means that if I try to load a CAP into a Security Domain with mDAP the CAP file has to have an appropriate DAP block, right? DAP meant if it exsits it will be checked but if there is no DAP provided it will pass.

     

    Many Thanks!

     

    -András

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points