OCC ambiguity and missing functionality in ASN.1 schema

[dmercer-google]

The PUT_DATA_ADMIN schema enumerates pin (1) and pinAlways (2) which makes sense. For occ you have only defined occ (4) and have omitted occAlways. If you look at the Security conditions for keys 9A and 9C in 800-73-4 Part 1 Table 4b you will see that both OCC and OCC Always are used.

I suggest you:

• change occ (4) to occAlways (4)
• add occ (8)

In your access mode enumeration documentation here you have a row:

Occ | The object may be accessed only after a successful Biometric On-Card Comparison in the current session.

This is not consistent with your docs on Pin and Pin Always as the former is one time and the latter is good for an entire session. I suggest that upi rename Occ to Occ Always and add a row for Occ which is one time like Pin

[makinako]

The occ parameter was put there a bit prematurely in anticpation of functionality that hasn't been implemented yet.
But it is and so we should do it correctly. We have two options:

1. We have pin, pinAlways, occ and occAlways flags as you have described.
2. We could also just rename pinAlways to simply always or alwaysAuth

The reason for mentioning the second option is that it seems reasonable if you have both PIN and OCC authentication for an object, you would to apply the alwaysAuth flag uniformly to both. It also means from a schema/code perspective nothing changes except the field rename.
Let me know if this sounds good or if you think there's a potential use for having two separate always flags

[dmercer-google]

2 seems to be the most elegant. 1 is better for back compat