Menu
▾
▴
Re: [Opensc-devel] Yubico Neo with OpenPGP and PIV applets
|
From: Simon J. <si...@jo...> - 2015-09-06 20:49:13
|
Douglas E Engert <dee...@gm...> writes: > Thanks for the response! > and a few additional comments... > > On 9/2/2015 5:10 AM, Klas Lindfors wrote: >> Hello, >> >> >> How does Yubico see the Neo being used if it has both a PIV and OpenPGP application? >> >> >> From Yubico's (or at least my) perspective the thinking around the applications is that PIV is used through OpenSC/Windows and OpenPGP is used through gnupg. Our perspective has been that they're >> typically not used at the same time. > > Yes. But IIRC there have some comments in this or other mail list that > while openpgp is using the card it locks the card up via PCSC, so the > PIV can not be used for web authentication. > Which implies that some users have programs running trying to use both > applets. This may not be a Neo problem, but the openpgp card drivers. That problem is because scdaemon opens the smartcard (via pcsc) in exclusive mode, thereby locking out other pcsc users. This was discussed recently on the GnuPG devel list, and it is not related to NEO or OpenSC. One solution is to kill scdaemon when you want to do non-scdaemon-based access. It is not particulary pleasing, but at least it works reliably. >> Is one default? >> How is the default set? >> Can the default be set on the card? >> >> >> We've not thought of one of those two as default, more as options >> depending on what the user wants / what the application >> supports. There is no default selected applet on the Neo, and it >> can't be set. > > The OpenSC issue is it can support both, and we need a better way for > a user to tell OpenSC what it should do, or OpenSC need a way to > present them via PKCS#11 as different tokens, > in multiple slots. Using PKCS#11 URLs in application contexts may help. Then the user can specify which token is intended. >> It's an interesting idea, I'm not sure how practical it is (due to >> several issues) but I'm happy to discuss possible solutions to >> simultaneous use. > > If Neo hardware can support it, it could get around the openpgp > locking problem. The Neo already presents itself as a USB keyboard, > and a USB smartcard reader. > > It could present itself as a keyboard, and a USB reader for each > application it supports via CCID. Each application having its own ATR. > To the OS it looks like the user plugged in multiple readers with a different type of smart card in each. > PCSC would treat them as separate readers and devices. Thus different > smartcard middleware would not lock each other out while trying to use > the cards. > So combinations of Windows PIV driver, OpenSC or some other OpenPGP > driver would see the card they wanted to see looking for the AID or > ATR. Interesting idea, but I don't see that it is feasible. For example, how to deal with concurrent access? The smartcard can only have one app selected at the same time anyway, as far as I understand. /Simon |
