Re: [Opensc-devel] OpenSC at FOSDEM 2018

[Douglas E E. <dee...@gm...>]

On 1/6/2018 5:11 AM, NdK wrote:
> Il 05/01/2018 19:01, Bernd Eckenfels ha scritto:
>> Hello,
>> Did you try scdaemon (scenario 1 with SCd-PKCS11 should work with Firefox)
>> https://github.com/sektioneins/scd-pkcs11/blob/master/README.md
> IIUC that's for GPG to use OpenSC-managed cards.

Yes that looks like it is trying to address some of these problem. But as it
is trying to use some of the middleware that wants exclusive access to a token
at PCSC level, (Gnu OpenPGP) it still has problems.

> 
> Practical example. I have a MyEID cards where I load a couple of keys
> for web auth (say work portal and CAcert), a key for mail signing
> (X509), a key for SSH access and the 3 GPG keys (DEC, SIG, AUT, and
> possibly the master C key too).
> That's what I could do before problems started (I last tested quite some
> time ago, so it might a bit fuzzy). IIRC, if I had Firefox open I
> couldn't access any key from other apps (including Thunderbird).
> If I closed FF, then I could sign/decrypt mails in Thunderbird, but
> either with X509 or GPG (Enigmail). And to use SSH I had to close TB, too.

I do not have a myEID card, so it is not clear if using the multiple
certs and key and using GPG keys is the same problem with myltiple applets
on the card.
> 
> Guess what's the "normal user" reaction? "fsck smartcards".

I know. That is a problem. Most applets are developed by developers only
interested in their applet. But users are more interested in using a single
token that can be used from multiple applications.
> 
> Then an unrelated problem (that probably can't be fixed w/o changing a
> lot of things): CSSH. CSSH opens ssh sessions to a "cluster" of machines
> (I used it with 42 parallel sessions) and allows to send the same
> commands to all the sessions. But if the ssh key is on card (and noone
> else is using it), it's simply too slow to handle such a batch of
> requests and logins timeout.

Cards are slow, and designed to be cheap and fit in a wallet. Some tokens
are much faster, and you may want to look at a faster device.
The way the card is accessed, each ssh command may have to read a lot
of data off the slow card, before doing any operation.

If every application upon closing,  resets the card, the next time the card
is used will require more time to open. Consider trying opensc.conf
disconnect = leave; rather than reset. Can make a big difference if all
applications trying to use the card do the same thing.

> 
> IMVHO PKCS#11 greatly suffered "design by committee", making it hard to
> use it correctly in a multi-app scenario. Smartcards made it even worse,
> being able to host multiple applets but with only one active at a time:
> the very concept "only one program can access the card at any time".
> That actually "forces" developers to ask for exclusive access and the
> loop closes.


That is the way things developed. The PKCS* and ISO standards date from
the late nineties for use with smart "cards" that were slow and relatively
cheep. Loot at some hsm token if you want speed.

> 
> That's why I have some cards lying around (MyEID, Epass2003, GnuK, a
> couple of JCOP card models for programming experiments) but don't use 'em.
> 
> BYtE,
>   Diego
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________

> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 

-- 

  Douglas E. Engert  <DEE...@gm...>