Re: [Opensc-devel] OpenSC at FOSDEM 2018

[Jakub J. <jj...@re...>]

On Mon, 2018-01-08 at 08:10 +0100, Frank Morgner wrote:
> If OpenSC is not responsive enough, have you tried enabling file
> caching?
> Did you disable the card drivers that you don't need? Instead of
> using 42
> ssh sessions to the same machine, have you tried using a single
> session
> running tmux or GNU screen on the other end of the connection? In
> OpenSC we
> try to support multi applications as best as we can. It should at
> least be
> possible to use the same OpenSC library in different applications
> without
> much of a problem. If not, well, report, debug and fix the problem!
> If you
> don't do it, the situation will stay as it is.
> 
> For example, for more that a year now, I've been using the Minidriver
> wrapper of OpenSC in large scale now with at least a dozen of
> "client"
> applications. Yes, there were concurrency issues; yes there were
> performance issues; yes there were things like memory corruptions;
> yes
> there were configuration problems. However, looking into this, I not
> only
> got a better understanding how OpenSC is working internally, I also
> understood how Windows (CNG) is working. OpenSC now even outperforms
> the
> proprietary middleware solution that I've been using before.
> 
> Complaining doesn't help much for making the situation better, so
> here are
> some short hints:
> 
> Performance:
> 
>    - use `use_file_caching = true`. (check if your card driver
> actually
>    supports file caching!)
>    - some drivers support internal file (path) caching that's always
>    enabled. That, however, is very complex and error prone (
>    https://github.com/OpenSC/OpenSC/issues/1159)... I'd recommend to
> use
>    file caching on disk instead
>    - disable card drivers you don't need
>    - analyze the card driver and remove unused card transactions
> 
> 
> Concurrency:
> 
>    - by default, OpenSC uses fine grained locking only for the smart
> card
>    transactions (i.e. SCardBeginTransaction) without the need for a
> global
>    lock (read: using Firefox and Thunderbird at the same time should
> not lead
>    to errors)
>    - (the hard part) running multiple processes with the same library
> needs
>    to be tested. The problems may be specific to the actual smart
> card driver,
>    so there is no way around actually doing the testing.
> 
> 
> End user adoption:
> 
>    - PKCS#11 has been designed as API for applications. It was not
> designed
>    to be used by end users. That's the reason U2F support is directly
> built
>    into the applications, which allows a much better user
> interaction.
>    - On Windows and even macOS the situation is much better, because
> both,
>    a smart card driver and a smart card application only have a
> single "entry
>    point". The OS offers APIs that transparently handle the token and
> it
>    offers a unified infrastructure for installing token drivers.
> (Maybe this
>    is the root of GPG's (scdaemon) attitude on requiring an
> execlusive lock on
>    the card. It wants to be the only smart card framework for the
> whole
>    system. Unfortunately this doesn't go well with the bazaar that
> Linux is.)
>    - Using smart cards in a managed environment work quite good (even
> with
>    PKCS#11)! Your company just needs a good IT department that
> configures
>    everything that's needed.
> 
> Coming back to the original topic of this message: Thanks Jakub for
> taking
> this opportunity! Something new I'd like to hear in a talk would be
> some
> ideas on how to overcome the lack of documentation, how to achieve
> good
> testing (especially with smart cards!) and how you see things like
> WebUSB
> (e.g. think of a Web App that contains everything including reader
> driver,
> smart card driver and smart card application).
> 
> Though, I think I cannot be present at FOSDEM, I hope you can publish
> the
> slides (e.g. in the OpenSC wiki)!

Thank you for the write up, ideas and comments. I will certainly try to
address some the topics discussed here, since I understand that these
are very important points for people considering to use smart cards of
any form.

For anyone who would like to see the talk, it should be
streamed/recorded. But I will certainly share the results here.

Thanks,
Jakub