Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-26 10:39:31
|
Le lundi 26 août 2013 à 11:27 +0200, Anders Rundgren a écrit : > Even the traditionalists have waken up: > http://www.w3.org/wiki/images/6/6f/SysApp_-_Secure_Element_API_-_intro.pdf > It will be fun! I see your point and agree that SKS/KeyGen2 is user and business friendly. So everyone is pushing in the same direction, even if not perfectly legal, with the same moto: "we are not aware of local laws". So what? It is very usual for me to order on Google Play, eBay or Amazon and receive the goods the next day with an invoice in Ireland or Luxemburg with little or no VAT. The French government is loosing billions in revenues every years and does not really complains, other than words like "we don't agree". Therefore, those companies have a tendency to believe that everything they do is perfectly legal and their users also believe that if those companies behave like that, it is legal. IMHO, it is could be interesting for those companies to have more and more crypto, on the fly, with no control around taxes. To make a comparison, as a kid, there used to be a No-cross sign on a rather high speed road, in my home-town . Everyone used to cross in front of that No-cross sign, simply because it was pretty convenient to reach the railway station. So many people crossed that pavement was wearing off. In the end, 3 or 4 years later, authorities installed a public crossing. On the converse, when individuals and states loose power and money, this might not always stay "as-if". As an individual, I am quite concerned how our money is spent in schools, universities, public services and event defense, in France, not in Luxemburg or Ireland. IMHO, this is the real picture behind this project. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu |
|
From: Anders R. <and...@gm...> - 2013-08-26 09:28:00
|
On 2013-08-26 11:21, Jean-Michel Pouré - GOOZE wrote: >> I think this step is closer to the acceptance of a cookie. >> This system is designed to replace passwords, not giving external >> parties access to your computer. > > I agree with you. Even the traditionalists have waken up: http://www.w3.org/wiki/images/6/6f/SysApp_-_Secure_Element_API_-_intro.pdf It will be fun! Cheers Anders > > Also, keep in mind that SKS/KeyGen2 will allow https communications with > major US vendors (Facebook, Google, etc ...) like a breeze. All data > will end-up in a huge data center in the desert. > > The advantages of System Officer and local management of PKI is that > there is some control of individuals, companies and governments on their > own PKI and information flows. We publish our own laws, so why should we > give away the right to manage our own PKI? > > I consider SKS/KeyGen2 as a US Government project. If you are working > for free on SKS/KeyGen2, please ask for a salary! > > From a pure legal point, I don't think this is legal in all countries to > manage a PKI in a cloud, situated nowhere, with no control. Google is > pushing around with the same moto: "we are not aware of local laws". > > Just my 2 cents, I will stop there to avoid filling the list. Flame wars > are not good for communities. > > Just do the right thing. > > Kind regards, > > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-26 09:21:33
|
> I think this step is closer to the acceptance of a cookie.
> This system is designed to replace passwords, not giving external
> parties access to your computer.
I agree with you.
Also, keep in mind that SKS/KeyGen2 will allow https communications with
major US vendors (Facebook, Google, etc ...) like a breeze. All data
will end-up in a huge data center in the desert.
The advantages of System Officer and local management of PKI is that
there is some control of individuals, companies and governments on their
own PKI and information flows. We publish our own laws, so why should we
give away the right to manage our own PKI?
I consider SKS/KeyGen2 as a US Government project. If you are working
for free on SKS/KeyGen2, please ask for a salary!
From a pure legal point, I don't think this is legal in all countries to
manage a PKI in a cloud, situated nowhere, with no control. Google is
pushing around with the same moto: "we are not aware of local laws".
Just my 2 cents, I will stop there to avoid filling the list. Flame wars
are not good for communities.
Just do the right thing.
Kind regards,
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
|
|
From: Markus K. <ko...@rr...> - 2013-08-24 10:48:47
|
Hello,
I do not have a PIV card, but opensc compatible cards, a Dell Keyboard
with integrated reader, opensc 0.12 and openssl 1.0.1.
On 08/23/2013 05:27 PM, Charlie Bancroft wrote:
> I am not sure if this is more of a question for the OpenSC-devel or for
> the OpenSSL lists but here it goes.
The attached script works fine for me.
Basically I disabled pinpad in opensc.conf, added
-pre VERBOSE \
-pre PIN:$3
removed -pre NO_VCHECK:1
result is, it does not complain about anything and the resulting file is
verified.
./sign.sh sign.sh slot_1-id_23102b881918fc430affa651939f76520ea26169 823423
...
13:d=1 hl=2 l= 20 prim: OCTET STRING [HEX
DUMP]:B6716639213C8E94BD7F108F9498E0FB97726544
sha1sum sign.sh
b6716639213c8e94bd7f108f9498e0fb97726544 sign.sh
Maybe you got a public key on the card which does not match the private
key with the same id?
I'd format the card, recreate the key.
And - in case there were any changes, reset openssl.cnf
MfG
Markus
|
|
From: Charlie B. <cha...@gm...> - 2013-08-23 15:27:15
|
Hi,
I am not sure if this is more of a question for the OpenSC-devel or for the
OpenSSL lists but here it goes.
I have been working on integrating PIV cards into our software program
architecture and have run into an issue verifying the signatures generated
by PIV cards. I have generated the signature using openssl through
engine_pkcs11 and opensc-pkcs11 and I cannot get it to verify. No matter
what I do the output from OpenSSL returns with:
139868424963728:error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139868424963728:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding
check failed:rsa_eay.c:721:
The script I am using to sign and verify this is:
#!/bin/bash
# Usage: $0 <name of file to sign> <private key identifier for engine>
cat >asn1.conf <<EOF
asn1 = SEQUENCE:digest_info_and_digest
[digest_info_and_digest]
dinfo = SEQUENCE:digest_info
digest = FORMAT:HEX,OCT:`openssl dgst -sha1 $1 |cut -f 2 -d ' '`
[digest_info]
algid = OID:1.3.14.3.2.26
params = NULL
EOF
openssl << EOT
engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre NO_VCHECK:1 \
-pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
asn1parse -i -genconf asn1.conf -out $1.dgst.asn1
rsautl -engine pkcs11 -keyform engine -sign -in $1.dgst.asn1 -inkey $2 -out
$1.sig.rsa
rsautl -engine pkcs11 -keyform engine -verify -in $1.sig.rsa -inkey $2 -out
$1.dgst.asn1_v
EOT
Note that this script was created to replicate an issue being seen in our
code trying to verify using the EVP_Verify* API calls once the signature
was generated and uses the script from
http://stackoverflow.com/questions/9951559/difference-between-openssl-rsautl-and-dgstas
reference material.
Am I doing something incorrect to generate the signature so that is can't
be verified? Or could there be an issue with the signature generation from
the card??
Charles Bancroft
Software Engineer
Raytheon BBN Technologies
|
|
From: Anders R. <and...@gm...> - 2013-08-23 13:09:15
|
On 2013-08-23 14:06, Jean-Michel Pouré - GOOZE wrote: > Le vendredi 23 août 2013 à 13:39 +0200, NdK a écrit : >> Your bank asks access to your token. You grant it the right to create >> keys and from this moment it cak create new keys "on your token" when >> needed. I think this step is closer to the acceptance of a cookie. If the issuer also provides a KMK (Key Management Key) during provisioning, keys can be updated although the user must still actually browse to the issuer site. However, one can imagine automatic updates based on attributes supplied with keys. This would work analogous to SW updates. > What you call a "bank" can later access your keyring and add > information. Enrollment process is direct from provider to final > consumer without SO-Officer. Final consumer may not be aware of security > considerations. With Facebook, Google and various online services, there > is a tendency to "overclick" when a flow of information is send to final > user. And who is controlling the security provider and in which country > is situated what you call "cloud" and what is the legislation? Does the > legislation of provider apply or legislation of the user? > > The "bank" is asking for my laptop and tells me "Ok, we can take care of > your laptop, go and have a beer while we add keys in your laptop, under > our own laws". This system is designed to replace passwords, not giving external parties access to your computer. Cheers Anders > Just my 2 cents. > > Kinds regards, > > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-23 12:06:26
|
Le vendredi 23 août 2013 à 13:39 +0200, NdK a écrit :
> Your bank asks access to your token. You grant it the right to create
> keys and from this moment it cak create new keys "on your token" when
> needed.
What you call a "bank" can later access your keyring and add
information. Enrollment process is direct from provider to final
consumer without SO-Officer. Final consumer may not be aware of security
considerations. With Facebook, Google and various online services, there
is a tendency to "overclick" when a flow of information is send to final
user. And who is controlling the security provider and in which country
is situated what you call "cloud" and what is the legislation? Does the
legislation of provider apply or legislation of the user?
The "bank" is asking for my laptop and tells me "Ok, we can take care of
your laptop, go and have a beer while we add keys in your laptop, under
our own laws".
Just my 2 cents.
Kinds regards,
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
|
|
From: NdK <ndk...@gm...> - 2013-08-23 11:39:08
|
Il 23/08/2013 10:31, Jean-Michel Pouré - GOOZE ha scritto: > I don't fully understand the notion of security model defined in 2.4 > where "user grants an issuer the right to create keys in the SKS." Your bank asks access to your token. You grant it the right to create keys and from this moment it cak create new keys "on your token" when needed. Then your cloud provider sets up a smart-card access for accounts: you grant him the privilege to create keys on your token like you did for the bank. Obviously the provider won't be able to create/use keys in the "bank area" and viceversa. > Do you mean "we should leave you our laptop, while we are out for lunch, > to keep it safe"? Uh? > Are your really going to elaborate a software around this "obscure" > notion of security? Most security agencies are turning to be more strict > and I doubt that this security scheme can survive a long time. I think it's the only that can support a single store for "unlimited" virtual identities... BYtE, Diego. |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-23 09:37:56
|
Le jeudi 22 août 2013 à 17:54 +0200, Jean-Pierre Szikora a écrit : > (https://github.com/OpenSC/OpenSC/commit/de4dd056bfc95935198528c4e7ddcd8cbbb7b8c1) fixing a problem existing in 0.13 but not in 0.12.2. Dear Jean-Pierre, Yes, I have been using OpenSC latest version. Under Windows, the ePass2003 supports SO-PIN, but not under OpenSC. Moreover, the ePass2003 is bricked with using SO-PIN initialization. Example: pkcs15-init -E--create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --so-pin 0000 --so-puk 111111 --label "François Pérou" Using reader with a card: Feitian ePass2003 00 00 Failed to create PKCS #15 meta structure: Not allowed This is an undocumented problem which we were never able to solve ourselves. Recently, a GOOZE user proposed that SO-PIN ***could** be declared in ePass2003 profile. I could test these settings successfully: /usr/share/opensc/epass2003.profile option onepin { macros { pin-flags = local, initialized, needs-padding; so-pin-flags = local, initialized, soPin; df_acl = *=$PIN, *=$SOPIN, CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE; df_acl = *=NEVER, CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE; ef_acl = *=NEVER, READ=NONE, UPDATE=NONE, WRITE=NONE, DELETE=NONE; sf_acl = *=NEVER, UPDATE=NONE; protected = *=NEVER,READ=NONE, UPDATE= $PIN, DELETE=$PIN; unprotected = *=NONE; dir-size = 112; tinfo-size = 128; unusedspace-size = 128; odf-size = 512; aodf-size = 256; cdf-size = 2048; prkdf-size = 1024; pukdf-size = 1024; dodf-size = 256; info-size = 128; maxPin-size = 2; } } I simply added the line: so-pin-flags = local, initialized, soPin; # Warning: ePass2003 does not support SO-PIN for undocumented reasons. Now, the ePass2003 can initialize: pkcs15-init -E--create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --so-pin 0000 --so-puk 111111 --label "François Pérou" But still SO-PIN and SO-PUK are not initialized. This failure to initialize the ePass2003 with SO-PIN support under OpenSC is the reason for GOOZE stopping distribution of the ePass2003 as of 22 August 2013. Read: http://www.gooze.eu/forums/support/epass2003-sales-suspended To enquire more, I would like to know whether this ONEPIN one line fix is acceptable, at least to avoid breakage. This is only to continue supporting our user base of ePass2003 users. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-23 08:31:17
|
Le lundi 19 août 2013 à 11:33 +0200, Anders Rundgren a écrit : > I will slowly but surely port the SKS/KeyGen2 concept to Linux: > https://openkeystore.googlecode.com/svn/resources/trunk/docs/sks-api-arch.pdf Dear Anders, I don't fully understand the notion of security model defined in 2.4 where "user grants an issuer the right to create keys in the SKS." Do you mean "we should leave you our laptop, while we are out for lunch, to keep it safe"? Are your really going to elaborate a software around this "obscure" notion of security? Most security agencies are turning to be more strict and I doubt that this security scheme can survive a long time. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-23 08:05:05
|
Le samedi 17 août 2013 à 07:10 +0200, Anders Rundgren a écrit : > Wouldn't it be a better use of resources defining a standard PKI card > where the operating system > vendors provide the *single* driver instead of relying on installation > of third-part SW? As written previously, Microsoft did follow this path and Apple dropped this approach recently. And OpenSC is mainly for GNU/Linux although it supports all systems. Another point is that security devices have a hardware side with firmware and an OS side. Validating firmware is extremely expensive and resource consuming. See for example Common Criteria (CC): http://www.commoncriteriaportal.org/products/ Therefore, moving OpenSC from user-space to kernel space and defining SPECs for a common smartcard would not change the global amount of work for vendors. Nevertheless, I keep your idea in memory, as it could be very interesting. One interesting point is that small is beautiful. Keeping a smartcard very simple makes it difficult to attack. And this is the main point for us at GOOZE. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu |
|
From: Jean-Pierre S. <jea...@uc...> - 2013-08-22 15:54:31
|
Hi Jean-Michel, Have you tried the latest version of OpenSC version from GitHub ? There is a patch (https://github.com/OpenSC/OpenSC/commit/de4dd056bfc95935198528c4e7ddcd8cbbb7b8c1) fixing a problem existing in 0.13 but not in 0.12.2. Best Regards, Jean-Pierre Le 22 août 2013 à 17:00, Jean-Michel Pouré - GOOZE a écrit : > Dear all, > > The ePass2003 does not work when initialized with SO-PIN in OpenSC. > > GOOZE requested technical documentation from Feitian, but never received > the list of APDU command or any useful documentation. > > A GOOZE user did some research and found the following trick: > > The issue is not in SO PIN itself. It's caused by incorrect ACL flags > arising from not using the ACL flags defined in "onepin" profile. If you > add a profile referring SOPIN into /usr/share/opensc/epass2003.profile > (e.g. before line "option onepin") and use it, pkcs15-init won't "brick" > token anymore: > > option sopinacl { > macros { > so-pin-flags = local, initialized, soPin; > pin-flags = local, initialized, needs-padding; > df_acl = *=$SOPIN, CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE; > ef_acl = *=NEVER, READ=NONE, UPDATE=NONE, WRITE=NONE, DELETE=NONE; > sf_acl = *=NEVER, UPDATE=NONE; > protected = *=NEVER,READ=NONE, UPDATE=$PIN, DELETE=$PIN; > } > } > > I would welcome the feedback from OpenSC community and would like to > know if this works for you and/or would be useful in OpenSC itself. > > Maybe Feitian itself could comment on this proposal of fix in reply on > OpenSC mailing list. > > Kind regards, > Jean-Michel Pouré > -- > > GOOZE - http://www.gooze.eu > High quality cryptographic tools > for GNU/Linux, Mac OS X and Windows > POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France > Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90 > Registry: FR 527 672 448 00018 - VAT: FR54527672448 > CAcert root certificate: http://www.cacert.org/index.php?id=3 > ID PGP/GPG: 084F2584 > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- Dr Jean-Pierre Szikora e-mail: jea...@uc... tel: 32-2-764.75.00 75, av. Hippocrate, bte B1.74.03 fax: 32-2-764.65.65 1200 Brussels - Belgium |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-22 15:00:18
|
Dear all,
The ePass2003 does not work when initialized with SO-PIN in OpenSC.
GOOZE requested technical documentation from Feitian, but never received
the list of APDU command or any useful documentation.
A GOOZE user did some research and found the following trick:
The issue is not in SO PIN itself. It's caused by incorrect ACL flags
arising from not using the ACL flags defined in "onepin" profile. If you
add a profile referring SOPIN into /usr/share/opensc/epass2003.profile
(e.g. before line "option onepin") and use it, pkcs15-init won't "brick"
token anymore:
option sopinacl {
macros {
so-pin-flags = local, initialized, soPin;
pin-flags = local, initialized, needs-padding;
df_acl = *=$SOPIN, CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE;
ef_acl = *=NEVER, READ=NONE, UPDATE=NONE, WRITE=NONE, DELETE=NONE;
sf_acl = *=NEVER, UPDATE=NONE;
protected = *=NEVER,READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
}
I would welcome the feedback from OpenSC community and would like to
know if this works for you and/or would be useful in OpenSC itself.
Maybe Feitian itself could comment on this proposal of fix in reply on
OpenSC mailing list.
Kind regards,
Jean-Michel Pouré
--
GOOZE - http://www.gooze.eu
High quality cryptographic tools
for GNU/Linux, Mac OS X and Windows
POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France
Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90
Registry: FR 527 672 448 00018 - VAT: FR54527672448
CAcert root certificate: http://www.cacert.org/index.php?id=3
ID PGP/GPG: 084F2584
|
|
From: Douglas E. E. <dee...@an...> - 2013-08-19 18:21:07
|
On 8/17/2013 12:10 AM, Anders Rundgren wrote: > When I look into the OpenSC mailing list I wonder if something isn't fundamentally broken. > > In the end (after provisioning) all smart PKI cards do more or less the same thing; > That is, performs a pretty well standardized RSA or EC operation. > > Wouldn't it be a better use of resources defining a standard PKI card where the operating system > vendors provide the *single* driver instead of relying on installation of third-part SW? This is the same old situation the industry has always had... Vendors have always control the market. But more recently governments have started setting the standards, and at least one OS vendor, Microsoft, has defined its own standards. Microsoft supports at least the U.S. gov PIV standard and its .NET card standard. In both cases, the user is not expected to issue cards, a government or enterprise is expected to provision the cards. > > With automatic updates (of OS and Token), you wouldn't be stuck with a specific design either. > The static structure of current PKI-tokens is extremely counter-productive. There are no security > issues doing firmware updates on-the-fly; it just requires a bit more memory in order to be robust. > > Naturally this wouldn't stop anybody from continuing creating "unique" cards but > a guess is that these cards would only attract a fraction of the market. And that is where OpenSC comes in, supporting these unique cards on non Windows platforms, which is a tiny fraction of the market. > > Anders > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Anders R. <and...@gm...> - 2013-08-19 09:33:45
|
Having been encouraged by a message from Mr. Linu{s|x} himself, that
"the security people will never agree on anything" (which probably is correct...) ,
I will slowly but surely port the SKS/KeyGen2 concept to Linux:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/sks-api-arch.pdf
Unfortunately I have have reached a temporary setback because I have found
out that Google will never support XML Schema in Android which makes KeyGen2
dependent on _my_ ports of pretty giant third-party libraries like Apache's XML suite.
In addition, the web-world seems to be hooked on JSON so this is what KeyGen2
will be rewritten in. However, using JSON isn't completely without issues either:
http://webpki.org/papers/PKI/converting-xmldsig-2-json.pdf
Since SKS/KeyGen2 anyway relies on concepts that have very little support in standards
like SM (Secure Messaging), I'm probably going to use proprietary definitions of JSON
crypto objects for the reasons just stated. The parser will probably check in at 3K-5K
lines so it is not really comparable to the 200K line (!) XML XSD/DSig.
On the lower-end of things, the SKS, I will swap the WS-interface for serialized binary
that should run fine both with Android's "binder" and Linux' D-Bus. The client-code
for all implementations will (like the current WS-interface
https://code.google.com/p/openkeystore/source/browse/library/trunk/build/sks-ws-descriptor.xml)
be auto-generated from a single definition file. Skipping WS will make life much simpler :-)
Cheers
Anders
|
|
From: Andreas S. <and...@ca...> - 2013-08-17 10:25:59
|
Hi Anders, I fully agree with your position. If you look at the current design of popular smart card operating systems (other than plain JavaCards), then these contain an incredible amount of functionality, but only the basic cryptographic functions and a little PIN management is really used at the end. The same for standards: Why should I use a complex PKCS#15 structure to just describe the obvious: I have a user authentication mechanism, some administrative authentication, a set of keys and certificates. On the token/card level I do not need more than what is actually usable at the PKCS#11 level. This combined with a secure provisioning interface is what we had in mind with the SmartCard-HSM design. Keep it simple and stupid - but secure. The key question is how we get a common interface standard ? This is something the user rather than the supplier has to do. It doesn't work for vendor driven ISO standardization, but it works for user driven standardization like EMV or MRTDs. Andreas On 08/17/2013 07:10 AM, Anders Rundgren wrote: > When I look into the OpenSC mailing list I wonder if something isn't fundamentally broken. > > In the end (after provisioning) all smart PKI cards do more or less the same thing; > That is, performs a pretty well standardized RSA or EC operation. > > Wouldn't it be a better use of resources defining a standard PKI card where the operating system > vendors provide the *single* driver instead of relying on installation of third-part SW? > > With automatic updates (of OS and Token), you wouldn't be stuck with a specific design either. > The static structure of current PKI-tokens is extremely counter-productive. There are no security > issues doing firmware updates on-the-fly; it just requires a bit more memory in order to be robust. > > Naturally this wouldn't stop anybody from continuing creating "unique" cards but > a guess is that these cards would only attract a fraction of the market. > > Anders > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Anders R. <and...@gm...> - 2013-08-17 05:11:09
|
When I look into the OpenSC mailing list I wonder if something isn't fundamentally broken. In the end (after provisioning) all smart PKI cards do more or less the same thing; That is, performs a pretty well standardized RSA or EC operation. Wouldn't it be a better use of resources defining a standard PKI card where the operating system vendors provide the *single* driver instead of relying on installation of third-part SW? With automatic updates (of OS and Token), you wouldn't be stuck with a specific design either. The static structure of current PKI-tokens is extremely counter-productive. There are no security issues doing firmware updates on-the-fly; it just requires a bit more memory in order to be robust. Naturally this wouldn't stop anybody from continuing creating "unique" cards but a guess is that these cards would only attract a fraction of the market. Anders |
|
From: alicia c. <li...@gm...> - 2013-08-16 16:17:51
|
Hi , I want to use OpenSC + OpenSSL on Windows with my G&D SmartCard and Muscle, and I'm having a lot of trouble about it. I download and install opensc-0.13.0-win32.msi and OpenSC-0.12.2-win32.msi but none installs pkcs11-engine needed to work with OpenSSL and Muscle profile either. I don't know if this versions includes all necessary code for Muscle support because I obtain an error when I force pkcs11 and pkcs15 tools to use Muscle driver. After that, I have tried to build my own OpenSC .exe installer following this steps: https://github.com/OpenSC/OpenSC/wiki/OpenSC-Windows-installer I have followed Build instructions (Linux) but it seems that build branch (svn https://www.opensc-project.org/svn/build) doesn't exist when I run $ ./win32/installer_from_build.sh and I can't build it. I have followed Build instructions (Windows) too but I get some errors when I try to make it and instructions and steps are not clear to me. Do you have any .exe installer that includes Muscle supports and pkcs11-engine libs? Do you have other instructions to build it? Thank you so much for your help. Regards. -- Un saludo, Alicia. -- Un saludo, Alicia. |
|
From: Douglas E. E. <dee...@an...> - 2013-08-12 17:04:14
|
On 8/12/2013 11:19 AM, Steven D Brown wrote: > We are trying to login to a Windows 2008 R2 machine. > > I have sent many traces to Dr Rousseau, did you want me to capture one and > post it here? Not really. If Dr Rousseau looked at your traces, and said it was sending commands pcscd does not support, then pcscd does not support them. It might be possible to get it to support them if one can find the Microsoft documentation on what these commands are expected to do. This might mean changes to rdesktop too. http://technet.microsoft.com/en-us/library/ff404286(WS.10).aspx > > Gemalto provided me with an implementation of PKCS11 which others have > indicated I should not need. Correct. It looks like it would have no use in trying to use rdesktop to login to Windows. But you could use in on Linux with FireFox, Thunderbird or Kerberos PKINIT. > > > > Steven Brown, Support Consultant > ISM Canada An IBM Global Services Company > 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1 > Mail: sb...@ca... > Direct: 1.306.337.5620 > > > > From: "Douglas E. Engert" <dee...@an...> > > To: ope...@li..., > > Date: 2013/08/12 09:57 AM > > Subject: Re: [Opensc-devel] PCSClite + OpenSC + RDesktop + Gemalto IDPrime .NET SmartCard > > > > > > > > > On 8/8/2013 5:16 PM, Steven D Brown wrote: >> >> Hello Folks, >> >> This is my first post here, I did some searches of the mailing list via >> Google but didn't see anything relevant. >> >> I have the following setup: >> >> RedHat 6.4 / Ubuntu 12.xx laptops >> Rdesktop 1.7.1 >> PSCSlite 1.8.5 >> >> Gemalto Reader as shown here: >> http://pcsclite.alioth.debian.org/ccid/supported.html#0x08E60x3437 , >> although it is a USB model >> >> I would like to be able to use my Gemalto IDPrime .NET ( >> http://www.gemalto.com/products/dotnet_card/ ) card to login to a Windows >> Server from my Linux laptops. > > What version of the windows server? > >> >> >> I have spent the past week or so speaking to Dr Rousseau about PCSClite > and >> he says that the Windows server is asking for some attributes that PCSC > is >> currently unequipped to handle on these cards. Because this is a >> self-motivated project within my department, I am unable to fund a > massive >> research project to sort this out. >> >> I was hoping maybe someone here could help me. I have received a ZIP >> file from Gemalto which contains their PKCS11 Library for use with these >> cards. >> > > Just tested from: Ubuntu 12.10 using: > > Rdesktop 1.7.1 > PSCSlite 1.8.5 > > SCM 355 reader > U.S. Gov issued PIV smart card to Windows 7 using: > > rdesktop -r scard hostname > > This works, and Windows 7 logs me in to the Windows Domain, > as if I was at the console. > > Note that neither OpenSC or PKCS#11 is not involved. > > The Windows 7 built-in minidriver driver sends APDU commands to pcscd > on ubuntu, and responses are returned. > > As Dr Rousseau must have indicated, It sounds like the GemAlto software > on the Windows side is sending some commands over to rdesktop to be sent > to pcscd that it can not handle. > > Have you gotten a pcscd trace? > /usr/sbin/pcscd -f -a -d > some.output.file > >> Would someone here be willing to work with me to make these cards >> compatible with PSCS / OpenSC / OpenCT / Whatever? > > For use with Windows via rdesktop, it sounds like you need a > minidriver on Windows and no changes on the unix side. > But GemAlto (or Windows .NET) provided you with one. > > It may be that the windows server is old, can you try > doing a rdesktop to a Windows 7 or Windows 8? > > It could also be that the .NET card is sending commands to > pcscd that rdesktop or pcscd can not handle. > > Does a PCSCD trace show what is failing? > >> >> Is it possible? > > Yes, but it sounds like the GemAlto driver should work, > if run on a new enough Windows server. > >> >> Steven Brown, Support Consultant >> ISM Canada An IBM Global Services Company >> 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1 >> Mail: sb...@ca... >> Direct: 1.306.337.5620 >> >> >> > ------------------------------------------------------------------------------ > >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > -- > > Douglas E. Engert <DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > ------------------------------------------------------------------------------ > > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > . > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Florent D. <fde...@gm...> - 2013-08-12 16:55:18
|
> Gemalto provided me with an implementation of PKCS11 which others have > indicated I should not need. > > Yes, you need a Minidriver for Windows, not a PKCS11 library : http://www.gemalto.com/products/dotnet_card/resources/libraries.html |
|
From: Douglas E. E. <dee...@an...> - 2013-08-12 16:20:32
|
And some other things to try: Gem Alto has a number of debugging tools. Can you login to the windows server using user/password from a Windows 7 using RDC and see if their debugging utilities work as expected over RDC. Then try again from a Ubuntu client using rdesktop and see if the debugging utilities work from there. As others have said, it could be that rdesktop and/or pcscd are not supporting some features of the .NET cards, or http://msdn.microsoft.com/en-us/windows/hardware/gg487500.aspx On 8/12/2013 10:56 AM, Douglas E. Engert wrote: > > > On 8/8/2013 5:16 PM, Steven D Brown wrote: >> >> Hello Folks, >> >> This is my first post here, I did some searches of the mailing list via >> Google but didn't see anything relevant. >> >> I have the following setup: >> >> RedHat 6.4 / Ubuntu 12.xx laptops >> Rdesktop 1.7.1 >> PSCSlite 1.8.5 >> >> Gemalto Reader as shown here: >> http://pcsclite.alioth.debian.org/ccid/supported.html#0x08E60x3437 , >> although it is a USB model >> >> I would like to be able to use my Gemalto IDPrime .NET ( >> http://www.gemalto.com/products/dotnet_card/ ) card to login to a Windows >> Server from my Linux laptops. > > What version of the windows server? > >> >> >> I have spent the past week or so speaking to Dr Rousseau about PCSClite and >> he says that the Windows server is asking for some attributes that PCSC is >> currently unequipped to handle on these cards. Because this is a >> self-motivated project within my department, I am unable to fund a massive >> research project to sort this out. >> >> I was hoping maybe someone here could help me. I have received a ZIP >> file from Gemalto which contains their PKCS11 Library for use with these >> cards. >> > > Just tested from: Ubuntu 12.10 using: > > Rdesktop 1.7.1 > PSCSlite 1.8.5 > > SCM 355 reader > U.S. Gov issued PIV smart card to Windows 7 using: > > rdesktop -r scard hostname > > This works, and Windows 7 logs me in to the Windows Domain, > as if I was at the console. > > Note that neither OpenSC or PKCS#11 is not involved. > > The Windows 7 built-in minidriver driver sends APDU commands to pcscd > on ubuntu, and responses are returned. > > As Dr Rousseau must have indicated, It sounds like the GemAlto software > on the Windows side is sending some commands over to rdesktop to be sent > to pcscd that it can not handle. > > Have you gotten a pcscd trace? > /usr/sbin/pcscd -f -a -d > some.output.file > >> Would someone here be willing to work with me to make these cards >> compatible with PSCS / OpenSC / OpenCT / Whatever? > > For use with Windows via rdesktop, it sounds like you need a > minidriver on Windows and no changes on the unix side. > But GemAlto (or Windows .NET) provided you with one. > > It may be that the windows server is old, can you try > doing a rdesktop to a Windows 7 or Windows 8? > > It could also be that the .NET card is sending commands to > pcscd that rdesktop or pcscd can not handle. > > Does a PCSCD trace show what is failing? > >> >> Is it possible? > > Yes, but it sounds like the GemAlto driver should work, > if run on a new enough Windows server. > >> >> Steven Brown, Support Consultant >> ISM Canada An IBM Global Services Company >> 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1 >> Mail: sb...@ca... >> Direct: 1.306.337.5620 >> >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Steven D B. <sb...@ca...> - 2013-08-12 16:19:50
|
We are trying to login to a Windows 2008 R2 machine.
I have sent many traces to Dr Rousseau, did you want me to capture one and
post it here?
Gemalto provided me with an implementation of PKCS11 which others have
indicated I should not need.
Steven Brown, Support Consultant
ISM Canada An IBM Global Services Company
1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1
Mail: sb...@ca...
Direct: 1.306.337.5620
From: "Douglas E. Engert" <dee...@an...>
To: ope...@li...,
Date: 2013/08/12 09:57 AM
Subject: Re: [Opensc-devel] PCSClite + OpenSC + RDesktop + Gemalto IDPrime .NET SmartCard
On 8/8/2013 5:16 PM, Steven D Brown wrote:
>
> Hello Folks,
>
> This is my first post here, I did some searches of the mailing list via
> Google but didn't see anything relevant.
>
> I have the following setup:
>
> RedHat 6.4 / Ubuntu 12.xx laptops
> Rdesktop 1.7.1
> PSCSlite 1.8.5
>
> Gemalto Reader as shown here:
> http://pcsclite.alioth.debian.org/ccid/supported.html#0x08E60x3437 ,
> although it is a USB model
>
> I would like to be able to use my Gemalto IDPrime .NET (
> http://www.gemalto.com/products/dotnet_card/ ) card to login to a Windows
> Server from my Linux laptops.
What version of the windows server?
>
>
> I have spent the past week or so speaking to Dr Rousseau about PCSClite
and
> he says that the Windows server is asking for some attributes that PCSC
is
> currently unequipped to handle on these cards. Because this is a
> self-motivated project within my department, I am unable to fund a
massive
> research project to sort this out.
>
> I was hoping maybe someone here could help me. I have received a ZIP
> file from Gemalto which contains their PKCS11 Library for use with these
> cards.
>
Just tested from: Ubuntu 12.10 using:
Rdesktop 1.7.1
PSCSlite 1.8.5
SCM 355 reader
U.S. Gov issued PIV smart card to Windows 7 using:
rdesktop -r scard hostname
This works, and Windows 7 logs me in to the Windows Domain,
as if I was at the console.
Note that neither OpenSC or PKCS#11 is not involved.
The Windows 7 built-in minidriver driver sends APDU commands to pcscd
on ubuntu, and responses are returned.
As Dr Rousseau must have indicated, It sounds like the GemAlto software
on the Windows side is sending some commands over to rdesktop to be sent
to pcscd that it can not handle.
Have you gotten a pcscd trace?
/usr/sbin/pcscd -f -a -d > some.output.file
> Would someone here be willing to work with me to make these cards
> compatible with PSCS / OpenSC / OpenCT / Whatever?
For use with Windows via rdesktop, it sounds like you need a
minidriver on Windows and no changes on the unix side.
But GemAlto (or Windows .NET) provided you with one.
It may be that the windows server is old, can you try
doing a rdesktop to a Windows 7 or Windows 8?
It could also be that the .NET card is sending commands to
pcscd that rdesktop or pcscd can not handle.
Does a PCSCD trace show what is failing?
>
> Is it possible?
Yes, but it sounds like the GemAlto driver should work,
if run on a new enough Windows server.
>
> Steven Brown, Support Consultant
> ISM Canada An IBM Global Services Company
> 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1
> Mail: sb...@ca...
> Direct: 1.306.337.5620
>
>
>
------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
>
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Douglas E. Engert <DEE...@an...>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel
|
|
From: Douglas E. E. <dee...@an...> - 2013-08-12 15:56:35
|
On 8/8/2013 5:16 PM, Steven D Brown wrote: > > Hello Folks, > > This is my first post here, I did some searches of the mailing list via > Google but didn't see anything relevant. > > I have the following setup: > > RedHat 6.4 / Ubuntu 12.xx laptops > Rdesktop 1.7.1 > PSCSlite 1.8.5 > > Gemalto Reader as shown here: > http://pcsclite.alioth.debian.org/ccid/supported.html#0x08E60x3437 , > although it is a USB model > > I would like to be able to use my Gemalto IDPrime .NET ( > http://www.gemalto.com/products/dotnet_card/ ) card to login to a Windows > Server from my Linux laptops. What version of the windows server? > > > I have spent the past week or so speaking to Dr Rousseau about PCSClite and > he says that the Windows server is asking for some attributes that PCSC is > currently unequipped to handle on these cards. Because this is a > self-motivated project within my department, I am unable to fund a massive > research project to sort this out. > > I was hoping maybe someone here could help me. I have received a ZIP > file from Gemalto which contains their PKCS11 Library for use with these > cards. > Just tested from: Ubuntu 12.10 using: Rdesktop 1.7.1 PSCSlite 1.8.5 SCM 355 reader U.S. Gov issued PIV smart card to Windows 7 using: rdesktop -r scard hostname This works, and Windows 7 logs me in to the Windows Domain, as if I was at the console. Note that neither OpenSC or PKCS#11 is not involved. The Windows 7 built-in minidriver driver sends APDU commands to pcscd on ubuntu, and responses are returned. As Dr Rousseau must have indicated, It sounds like the GemAlto software on the Windows side is sending some commands over to rdesktop to be sent to pcscd that it can not handle. Have you gotten a pcscd trace? /usr/sbin/pcscd -f -a -d > some.output.file > Would someone here be willing to work with me to make these cards > compatible with PSCS / OpenSC / OpenCT / Whatever? For use with Windows via rdesktop, it sounds like you need a minidriver on Windows and no changes on the unix side. But GemAlto (or Windows .NET) provided you with one. It may be that the windows server is old, can you try doing a rdesktop to a Windows 7 or Windows 8? It could also be that the .NET card is sending commands to pcscd that rdesktop or pcscd can not handle. Does a PCSCD trace show what is failing? > > Is it possible? Yes, but it sounds like the GemAlto driver should work, if run on a new enough Windows server. > > Steven Brown, Support Consultant > ISM Canada An IBM Global Services Company > 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1 > Mail: sb...@ca... > Direct: 1.306.337.5620 > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Andreas J. <an...@io...> - 2013-08-12 06:23:59
|
Am 09.08.2013 17:34 schrieb "Anders Rundgren" <and...@te...>: ... > > Anyway, I believe 3D Secure actually will be reborn! > > ------ > > As you probably know the big credit card networks already back in 1999 launched a "Web Payment" scheme called 3D Secure. > > Nowadays it is known as VbV (Verified by VISA) and SecureCode (MasterCard's variant). At least my german bank implements this with a huge liability shift towards the customer. Thus i refuse to buy with any VbV enabled merchant. Andreas |
|
From: Anders R. <and...@te...> - 2013-08-12 05:32:43
|
On 2013-08-12 07:15, Andreas Jellinghaus wrote: > > Am 09.08.2013 17:34 schrieb "Anders Rundgren" <and...@te... <mailto:and...@te...>>: > ... >> >> Anyway, I believe 3D Secure actually will be reborn! >> >> ------ >> >> As you probably know the big credit card networks already back in 1999 launched a "Web Payment" scheme called 3D Secure. >> >> Nowadays it is known as VbV (Verified by VISA) and SecureCode (MasterCard's variant). > > At least my german bank implements this with a huge liability shift towards the customer. Thus i refuse to buy with any VbV enabled merchant. > Interesting and pretty weird. Anyway, the basic principle (using your bank/issuer as a federated party in the transaction), has been "cloned" any number of times over the world. What I hope to bring is a programmable framework based on an enhanced WebCrypto scheme so that we some day may actually retire the mag-strip and userid/password (printed in clear text..) from credit cards. EMV-cards are due to the latter as susceptible to skimming as the non-chip cards and that sux, doesn't it? It is clear that the card industry, the financial institutions and Microsoft can continue for another 15 year on the Internet without succeeding! Anders |
5 messages has been excluded from this view by a project administrator.
