Menu
▾
▴
Re: [Opensc-devel] Yubico Neo with OpenPGP and PIV applets
|
From: Douglas E E. <dee...@gm...> - 2015-09-02 14:54:01
|
Thanks for the response! and a few additional comments... On 9/2/2015 5:10 AM, Klas Lindfors wrote: > Hello, > > > How does Yubico see the Neo being used if it has both a PIV and OpenPGP application? > > > From Yubico's (or at least my) perspective the thinking around the applications is that PIV is used through OpenSC/Windows and OpenPGP is used through gnupg. Our perspective has been that they're > typically not used at the same time. Yes. But IIRC there have some comments in this or other mail list that while openpgp is using the card it locks the card up via PCSC, so the PIV can not be used for web authentication. Which implies that some users have programs running trying to use both applets. This may not be a Neo problem, but the openpgp card drivers. > > Is one default? > How is the default set? > Can the default be set on the card? > > > We've not thought of one of those two as default, more as options depending on what the user wants / what the application supports. There is no default selected applet on the Neo, and it can't be set. The OpenSC issue is it can support both, and we need a better way for a user to tell OpenSC what it should do, or OpenSC need a way to present them via PKCS#11 as different tokens, in multiple slots. > > > The Neo presents the same ATR for both. The Neo does not take advantage of the ATR Historical bytes. > > > No, we've not used the ATR at all to advertise what applications are present, the ATR is also different over the contactless interface. The PIV driver does not compare ATRs these days. I never noticed. It looks for the PIV aid on any card, its looking the the applet, not the card. The OpenPGP driver needs to do this too. > > > Are there end users who want to use both, at the same time? > > > There has been questions about this, not very common and we've not come up with a good solution for it. > > > Has Yubico look at presenting the Neo as two devices on the UCB bus with a different ATRs for the > OpenPGP and PIV applications? (Historical bytes including the AID?) For example, using the NIST test cards. In my set (other sets may be different) card 1 is a Gemalto PIV 1.5.5 DLv1 no NFC, uses T=0 3b:7d:96:00:00:80:31:80:65:b0:83:11:17:d6:83:00:90:00 Card 2 is a Oberthur ID-One PIV has NFC, uses T=1 3b:df:96:00:81:b1:fe:45:1f:83:80:73:cc:91:cb:f9:a0:00:00:03:08:00:00:10:00:79 Note the PIV AID in the historical bytes a0:00:00:03:08:00:00:10:00 > > > It's an interesting idea, I'm not sure how practical it is (due to several issues) but I'm happy to discuss possible solutions to simultaneous use. If Neo hardware can support it, it could get around the openpgp locking problem. The Neo already presents itself as a USB keyboard, and a USB smartcard reader. It could present itself as a keyboard, and a USB reader for each application it supports via CCID. Each application having its own ATR. To the OS it looks like the user plugged in multiple readers with a different type of smart card in each. PCSC would treat them as separate readers and devices. Thus different smartcard middleware would not lock each other out while trying to use the cards. So combinations of Windows PIV driver, OpenSC or some other OpenPGP driver would see the card they wanted to see looking for the AID or ATR. > > > The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver has not, but issue #507 is trying to address this. > > > I've always found checking for AID to be more exact, but that's coming from and angle where multiple applications can be loaded and you can't really tell from the ATR exactly what applications might > be found on a specific card. I agree, it also means as an applet is ported to newer cards, because some issuing agency (gov or company...) wants to change cards. The AID stays the same, the applet will still be found by the existing middleware. > > > Does Yubico developers follow the OpenSC discussions? > > > I try to follow opensc-devel for relevant stuff and keep up to date with what happens in the code. > > Do they test OpenSC with their devices? > > > As I wrote above our view is that the PIV parts of YubiKey devices should work with OpenSC we test that. > > > Thanks. > > > Thank you! > > /klas -- Douglas E. Engert <DEE...@gm...> |
