Menu
▾
▴
Re: [Opensc-devel] New port in MacPorts and question about TokenD
|
From: David W. <dw...@in...> - 2016-09-28 09:12:12
|
On Wed, 2016-09-28 at 11:41 +0300, Martin Paljak wrote: > On 28/09/16 11:34, David Woodhouse wrote: > > Then you can use it with *any* PKCS#11 module, including OpenSC's. Why > > have a hardware-specific Tokend implementation at all? > > > In theory - yes. In practice - there is a shitload of weirdly buggy > PKCS#11 modules out there and when you need to provide reliability, such > wishful layering often fails to deliver. And you need to configure them > and resolve conflicts and ... True. But for the OpenSC case we don't have to care about those other buggy PKCS#11 providers. For us to deprecate Tokend.OpenSC in favour of Tokend.PKCS#11 we *only* need the OpenSC PKCS#11 module to be working right. All those other crappy third-party modules can still be weirdly buggy, and we aren't any worse off. Those vendors are going to need to fix *their* PKCS#11 provider before *they* stop shipping their Tokend.XXXX and say "hey, do it through Tokend.PKCS#11". But that's their business. > The other sad part about tokend is - it will be phased out. > > https://developer.apple.com/reference/cryptotokenkit > > Anyway, it seems that such "long layering" is something that is actively > being worked against, with things like WebUSB being preferred by some > implementers instead of going through whatever would provide access to > hardware tokens (think: pkcs11-pcsc-ccid) Yeah, that definitely makes it more fun :) So is PCSC going to go away completely? For the Yubikey OATH support, talking directly to the YubiOATH applet on the card, I currently do it through PCSC identically (modulo Windows Unicode stupidity) on *all* platforms: http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/yubikey.c This is separate from the *crypto* key support which I only do via PKCS#11 right now (qv). Is even this going to break? -- dwmw2 |
