Menu
▾
▴
Re: [Opensc-devel] OpenSC at FOSDEM 2018
|
From: Douglas E E. <dee...@gm...> - 2018-01-07 14:14:37
|
Sorry your are disappointed in the state of smart card these days. It is what it is for a number of historical reasons. o Multiple vendors providing cards middleware and applications to use only their cards. o Difference of opinions on how cards should be used. o Developers are concerned with their cards and not others. o Standards are overly complicated and most things are optional leading to no common standards. o OS vendors never really adopted smart cards. The market was way to small. o and the list goes on. Note that much of the middleware including pkcs11 runs in the user applications not in the OS. So caching is done by each application as long as it keeps pkcs11 active. So every ssh use if a key requires pkcs11 to be loaded the card connected, certificates be read etc. But long running applications can lock out access to a card from other applications. Some call this a security requirement. Others would call this a bug. There are some things you can do. For some cards, OpenSC can cache certificates and other data in in the user's home directory. OpenSC can try and leave the card in a logged instate if you set the disconnect = leave see the comments in opensc.conf. But other applications not using OpenSC can still lock the access to the card at the PCSC level. On 1/7/2018 4:53 AM, NdK wrote: > Il 07/01/2018 00:17, J.W...@mi... ha scritto: > >> You know there is a patch for OpenSSH, so it can use ssl keys/certificates.... >> Afaicr this feature is for years in the commercial branch of ssh. > Uh? I've been able to use a simple PKCS11Provider config option to > specify the lib to use and access keys on card. > But the point is that if Firefox is accessing the same card, ssh fails. > > BYtE, > Diego > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
