Menu
▾
▴
opensc-devel
|
From: Anders R. <and...@gm...> - 2018-01-08 09:19:21
|
On 2018-01-08 10:12, Jakub Jelen wrote: >> History is becoming a weight that prevents further evolution. Many >> limitations are rooted in assumptions that are no longer true. >> We'd need PKCS11-2018, a complete revision of the standard that >> ditches >> a lot of dead weight. > > PKCS#11 is not dead. There is going to be PKCS#11 3.0 [1], which I try > to follow, but I don't think, there is going to be any significant > change in the way of handling multiple processes. Or what dead weight > you mean in this case? I know that RedHat have designed their crypto platform around PKCS #11. No other vendors have. PKCS #11 for smart cards isn't going anywhere, neither does PC/SC. Intel and ARM are all into embedded security. Essentially only Estonia continues with eID cards. Anders |
|
From: Douglas E E. <dee...@gm...> - 2018-01-08 15:43:50
|
On 1/8/2018 3:19 AM, Anders Rundgren wrote: > I know that RedHat have designed their crypto platform around PKCS #11. > No other vendors have. Oracle Solaris did. > https://docs.oracle.com/cd/E19120-01/open.solaris/819-2145/chapter1-1/index.html Solaris did. I did much of my early smart card development on Solaris workstations until Oracle dropped Solaris workstations. Never followed up on how much of the "Third-party Hardware and Software pluggable tokens" in Userland" were also implemented in the "Third-party Hardware crypto providers" in "Kernel" -- Douglas E. Engert <DEE...@gm...> |
|
From: NdK <ndk...@gm...> - 2018-01-08 17:29:58
|
Il 08/01/2018 08:10, Frank Morgner ha scritto: > If OpenSC is not responsive enough, have you tried enabling file > caching? Uh? The bottleneck is the access to the token... But I didn't know file caching and I'll have to have a look. > Did you disable the card drivers that you don't need? No, I usually have to use OS supplied packages (for long term maintenance). Surely, on a test machine I can experiment with git releases, but for deployment I have to wait for the changes to arrive in the distro. > Instead of using 42 ssh sessions to the same machine, Never said these sessions are to the same machine. It would be useless. It's ~half of a 81 PCs lab. cssh is used to send the same command to all the sessions. Before using cssh, it took 3 days to deploy all the updates on all the machines. With cssh it only takes ~2h. > Complaining doesn't help much for making the situation better, Yup. I stopped complaining-without-trying-to-debug about 30 years ago :) Mine was not intended as a complaint, just as a reminder of a series of "problems" users have to face. > so here are some short hints: Tks. I'll keep 'em handy. > * Using smart cards in a managed environment work quite good (even > with PKCS#11)! Your company just needs a good IT department that > configures everything that's needed. I am one of the most experienced Linux users in our IT team (that's the main reason I can't easily deploy anything compiled from sources: other techs wouldn't be able to maintain it). BYtE, Diego |
|
From: Jakub J. <jj...@re...> - 2018-01-09 08:41:57
|
On Mon, 2018-01-08 at 18:29 +0100, NdK wrote: > Il 08/01/2018 08:10, Frank Morgner ha scritto: > > > If OpenSC is not responsive enough, have you tried enabling file > > caching? > > Uh? The bottleneck is the access to the token... But I didn't know > file > caching and I'll have to have a look. > > > Did you disable the card drivers that you don't need? > > No, I usually have to use OS supplied packages (for long term > maintenance). Surely, on a test machine I can experiment with git > releases, but for deployment I have to wait for the changes to arrive > in > the distro. The driver selection is in configuration file so there is no need to recompile. Just find out what driver is your card using, for example with "opensc-tool -n" and then add it to the /etc/opensc.conf, such as "card_drivers = PIV-II, internal;" (leaving internal in the end allows the detection of other types, but your -- in this case PIV-II will be the first one to detect). Regards, Jakub |
|
From: <J.W...@mi...> - 2018-01-09 12:45:50
|
Belgium is right now. And The Netherlands (for private citizens) in 15 Years :-( Right now, some of the Dutch Ministries ARE using ID-cards. MoD relies heavily on it -----Original Message----- Essentially only Estonia continues with eID cards. Anders ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Opensc-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensc-devel Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. |
|
From: <J.W...@mi...> - 2018-01-09 13:01:14
|
I dare to disagree strongly. Perhaps (...) until the time we have BIO-interface like in "The Matrix" -----Original Message----- From: Anders Rundgren [mailto:and...@gm...] Sent: zondag 7 januari 2018 15:23 To: ope...@li... Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 Smart cards represent "a blast from the past". Embedded security (assuming Intel & Co succeeds tightening the current ugly issues..) is the future. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Opensc-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensc-devel Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. |
|
From: Anders R. <and...@gm...> - 2018-01-09 14:21:34
|
On 2018-01-09 14:01, J.W...@mi... wrote: > I dare to disagree strongly. > Perhaps (...) until the time we have BIO-interface like in "The Matrix" My guess is that in 5-10 years most SIMs will be virtualized. ARM and Intel already have this working. This will accelerate the downward spiral for other smart card applications as well. The e-passport project is a failure, other solutions are taking over. Anders > > -----Original Message----- > From: Anders Rundgren [mailto:and...@gm...] > Sent: zondag 7 januari 2018 15:23 > To: ope...@li... > Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 > > Smart cards represent "a blast from the past". > Embedded security (assuming Intel & Co succeeds tightening the current ugly issues..) is the future. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. > |
|
From: <J.W...@mi...> - 2018-01-09 13:18:42
|
That sounds like two programs trying to get an exclusive lock on some of the EF's on the card. AFAICR, that was already addressed at FOSDEM 3 or 4 years ago... Still, encrypting/decrypting remains a sequential process, and no userland should try to get a long-lasting exclusive lock Hans -----Original Message----- From: NdK [mailto:ndk...@gm...] Sent: zondag 7 januari 2018 11:54 To: Witvliet, J, Ing., DMO/OPS/I&S/APH Cc: ope...@li... Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 Il 07/01/2018 00:17, J.W...@mi... ha scritto: > You know there is a patch for OpenSSH, so it can use ssl keys/certificates.... > Afaicr this feature is for years in the commercial branch of ssh. Uh? I've been able to use a simple PKCS11Provider config option to specify the lib to use and access keys on card. But the point is that if Firefox is accessing the same card, ssh fails. BYtE, Diego Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. |
|
From: NdK <ndk...@gm...> - 2018-01-09 16:35:50
|
Il 09/01/2018 14:18, J.W...@mi... ha scritto: > That sounds like two programs trying to get an exclusive lock on some of the EF's on the card. > AFAICR, that was already addressed at FOSDEM 3 or 4 years ago... > Still, encrypting/decrypting remains a sequential process, and no userland should try to get a long-lasting exclusive lock Pls, explain that to Mozilla team... Possibly w/ the "friendly certs" 9yo issue... I kept using FF mainly for "tab groups" feature... Lacking it *and* w/ an uncooperative token management, I'll be free to move to other browsers. :) BYtE, Diego |
|
From: <J.W...@mi...> - 2018-01-09 15:00:42
|
With anything virtualised, how can you guarantee its uniqueness? It could be cloned by your evil chambermaid. -----Original Message----- From: Anders Rundgren [mailto:and...@gm...] Sent: dinsdag 9 januari 2018 15:21 To: Witvliet, J, Ing., DMO/OPS/I&S/APH; ope...@li... Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 On 2018-01-09 14:01, J.W...@mi... wrote: > I dare to disagree strongly. > Perhaps (...) until the time we have BIO-interface like in "The Matrix" My guess is that in 5-10 years most SIMs will be virtualized. ARM and Intel already have this working. This will accelerate the downward spiral for other smart card applications as well. The e-passport project is a failure, other solutions are taking over. Anders > > -----Original Message----- > From: Anders Rundgren [mailto:and...@gm...] > Sent: zondag 7 januari 2018 15:23 > To: ope...@li... > Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 > > Smart cards represent "a blast from the past". > Embedded security (assuming Intel & Co succeeds tightening the current ugly issues..) is the future. > > > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. |
|
From: Anders R. <and...@gm...> - 2018-01-09 15:22:56
|
On 2018-01-09 16:00, J.W...@mi... wrote: > With anything virtualised, how can you guarantee its uniqueness? > It could be cloned by your evil chambermaid. Even if the device (or key) is protected by a PIN and/or biometrics? Anders > > -----Original Message----- > From: Anders Rundgren [mailto:and...@gm...] > Sent: dinsdag 9 januari 2018 15:21 > To: Witvliet, J, Ing., DMO/OPS/I&S/APH; ope...@li... > Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 > > On 2018-01-09 14:01, J.W...@mi... wrote: >> I dare to disagree strongly. >> Perhaps (...) until the time we have BIO-interface like in "The Matrix" > > My guess is that in 5-10 years most SIMs will be virtualized. ARM and Intel already have this working. > > This will accelerate the downward spiral for other smart card applications as well. > > The e-passport project is a failure, other solutions are taking over. > > Anders > >> >> -----Original Message----- >> From: Anders Rundgren [mailto:and...@gm...] >> Sent: zondag 7 januari 2018 15:23 >> To: ope...@li... >> Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 >> >> Smart cards represent "a blast from the past". >> Embedded security (assuming Intel & Co succeeds tightening the current ugly issues..) is the future. >> >> >> ---------------------------------------------------------------------- >> -------- Check out the vibrant tech community on one of the world's >> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> >> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. >> >> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. >> > > > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. > |
|
From: <J.W...@mi...> - 2018-01-09 15:30:43
|
Eh... Virtualised biometrics ??? And with PIN: you can clone them 10000 fold, and do a parallel brute force attack. So, no. This sounds just good enough for your cookie jar. Not if the life's of your loved ones might depend on it. -----Original Message----- From: Anders Rundgren [mailto:and...@gm...] Sent: dinsdag 9 januari 2018 16:23 To: Witvliet, J, Ing., DMO/OPS/I&S/APH; ope...@li... Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 On 2018-01-09 16:00, J.W...@mi... wrote: > With anything virtualised, how can you guarantee its uniqueness? > It could be cloned by your evil chambermaid. Even if the device (or key) is protected by a PIN and/or biometrics? Anders > > -----Original Message----- > From: Anders Rundgren [mailto:and...@gm...] > Sent: dinsdag 9 januari 2018 15:21 > To: Witvliet, J, Ing., DMO/OPS/I&S/APH; > ope...@li... > Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 > > On 2018-01-09 14:01, J.W...@mi... wrote: >> I dare to disagree strongly. >> Perhaps (...) until the time we have BIO-interface like in "The Matrix" > > My guess is that in 5-10 years most SIMs will be virtualized. ARM and Intel already have this working. > > This will accelerate the downward spiral for other smart card applications as well. > > The e-passport project is a failure, other solutions are taking over. > > Anders > >> >> -----Original Message----- >> From: Anders Rundgren [mailto:and...@gm...] >> Sent: zondag 7 januari 2018 15:23 >> To: ope...@li... >> Subject: Re: [Opensc-devel] OpenSC at FOSDEM 2018 >> >> Smart cards represent "a blast from the past". >> Embedded security (assuming Intel & Co succeeds tightening the current ugly issues..) is the future. >> >> >> --------------------------------------------------------------------- >> - >> -------- Check out the vibrant tech community on one of the world's >> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> >> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. >> >> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. >> > > > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. |
|
From: NdK <ndk...@gm...> - 2018-01-09 16:48:29
|
Il 09/01/2018 16:00, J.W...@mi... ha scritto: >> With anything virtualised, how can you guarantee its uniqueness? > It could be cloned by your evil chambermaid. Not (easily, or by a simple chambermaid) if it's inside a secure coprocessor. Remember the TPM? At the end: a smartcard in a different form factor and with a trendier name (just waiting someone proposing a name with "blockchain" in it... ROFLASTC!). BYtE, Diego |
|
From: Anders R. <and...@gm...> - 2018-01-09 16:53:56
|
On 2018-01-09 17:48, NdK wrote: > Il 09/01/2018 16:00, J.W...@mi... ha scritto: > >>> With anything virtualised, how can you guarantee its uniqueness? >> It could be cloned by your evil chambermaid. > Not (easily, or by a simple chambermaid) if it's inside a secure > coprocessor. Remember the TPM? > At the end: a smartcard in a different form factor and with a trendier > name (just waiting someone proposing a name with "blockchain" in it... > ROFLASTC!). Yes! Smart cards supporting a combination of "blockchain" and "AI" is what we all are waiting on :-) Maybe "AI" will require a minor PKCS #11 update.... Anders > > BYtE, > Diego > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: NdK <ndk...@gm...> - 2018-01-09 17:23:01
|
Il 09/01/2018 17:53, Anders Rundgren ha scritto: > Maybe "AI" will require a minor PKCS #11 update.... Not necessarily, if PKCS#11 allows for interactive key agreement (multi-step DH)... Tree Parity Machines (the simplest form of neural network) can exploit the speed difference between simple learning and mutual learning to converge to a common state faster than an attacker. The security margin derives from information theory and does not require assumptions like "this problem is difficult": the upper bound of what the attacker can know is mathematically determined (too bad it's relatively high). Actually TPMs' mutual learning is more practical than some PQC algorithms :) BYtE, Diego |
|
From: Jakub J. <jj...@re...> - 2018-01-12 14:05:09
|
On Sat, 2018-01-06 at 12:11 +0100, NdK wrote: > Il 05/01/2018 19:01, Bernd Eckenfels ha scritto: > > Hello, > > Did you try scdaemon (scenario 1 with SCd-PKCS11 should work with > > Firefox) > > https://github.com/sektioneins/scd-pkcs11/blob/master/README.md > > IIUC that's for GPG to use OpenSC-managed cards. > > Practical example. I have a MyEID cards where I load a couple of keys > for web auth (say work portal and CAcert), a key for mail signing > (X509), a key for SSH access and the 3 GPG keys (DEC, SIG, AUT, and > possibly the master C key too). > That's what I could do before problems started (I last tested quite > some > time ago, so it might a bit fuzzy). IIRC, if I had Firefox open I > couldn't access any key from other apps (including Thunderbird). > If I closed FF, then I could sign/decrypt mails in Thunderbird, but > either with X509 or GPG (Enigmail). And to use SSH I had to close TB, > too. Hello Diego, I am not using web authentication using PKCS#11, but (for the sake of correct outcomes here) I got to test it today and it works as expected without any concurrent issues (until you let the GnuPG's scdaemon into the round) with all the cards I have around, but mostly with PIV on yubikey. I believe you should give it a try again. You might be pleasantly surprised (unless the MyEID cards have some different issues than my cards). The scdaemon could be replaced with a tool that does not require exclusive access and talks PKCS#11, such as gnupg-pkcs11-scd [1] and then we should be over these problems. > Guess what's the "normal user" reaction? "fsck smartcards". Yes, some of the configuration steps should be more explicit (disconnect = leave), and we should support both applets on the smart card (PIV, OpenPGP) on yubikey [2] to make it working setup for general users. But I would not say it is impossible nor that we are far. [1] http://gnupg-pkcs11.sourceforge.net/index.html [2] https://github.com/OpenSC/OpenSC/issues/962 Thanks for inputs and regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. |
|
From: Douglas E E. <dee...@gm...> - 2018-01-12 18:20:50
|
It turns out I have from Aventra a MyEID card card which also has PIV. Due to the way the card responds to the PIV SELECT AID the PIV driver does not select the card. I have a fix for this. But before submitting a PR, I need to look at the MyEID as it does have an AID: ./pkcs15-tool --list-applications Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 Application 'Aventra': AID: A000000063504B43532D3135 and this is then another card that can have multiple applets doug@XUbuntu-16:/opt/ossl-1.1/bin$ ./opensc-tool -s "00 A4 04 00 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 00" Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 Sending: 00 A4 04 00 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 00 Received (SW1=0x90, SW2=0x00): 6F 25 81 02 7F FF 82 01 38 83 02 50 15 86 03 11 o%......8..P.... 30 FF 85 02 00 E2 8A 01 07 84 0C A0 00 00 00 63 0..............c 50 4B 43 53 2D 31 35 PKCS-15 doug@XUbuntu-16:/opt/ossl-1.1/bin$ ./opensc-tool -s "00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 00" Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 00 Received (SW1=0x90, SW2=0x00): 4F 06 00 00 10 00 01 00 79 08 4F 06 00 00 10 00 O.......y.O..... 01 00 50 18 4D 79 45 49 44 20 50 49 56 20 63 61 ..P.MyEID PIV ca 72 64 20 65 6D 75 6C 61 74 69 6F 6E rd emulation But does not appear to have an OpenPGP applet. This adds more urgency to address issues in: https://github.com/OpenSC/OpenSC/issues/962 On 1/12/2018 8:04 AM, Jakub Jelen wrote: > On Sat, 2018-01-06 at 12:11 +0100, NdK wrote: >> Il 05/01/2018 19:01, Bernd Eckenfels ha scritto: >>> Hello, >>> Did you try scdaemon (scenario 1 with SCd-PKCS11 should work with >>> Firefox) >>> https://github.com/sektioneins/scd-pkcs11/blob/master/README.md >> >> IIUC that's for GPG to use OpenSC-managed cards. >> >> Practical example. I have a MyEID cards where I load a couple of keys >> for web auth (say work portal and CAcert), a key for mail signing >> (X509), a key for SSH access and the 3 GPG keys (DEC, SIG, AUT, and >> possibly the master C key too). >> That's what I could do before problems started (I last tested quite >> some >> time ago, so it might a bit fuzzy). IIRC, if I had Firefox open I >> couldn't access any key from other apps (including Thunderbird). >> If I closed FF, then I could sign/decrypt mails in Thunderbird, but >> either with X509 or GPG (Enigmail). And to use SSH I had to close TB, >> too. > > Hello Diego, > I am not using web authentication using PKCS#11, but (for the sake of > correct outcomes here) I got to test it today and it works as expected > without any concurrent issues (until you let the GnuPG's scdaemon into > the round) with all the cards I have around, but mostly with PIV on > yubikey. > > I believe you should give it a try again. You might be pleasantly > surprised (unless the MyEID cards have some different issues than my > cards). > > The scdaemon could be replaced with a tool that does not require > exclusive access and talks PKCS#11, such as gnupg-pkcs11-scd [1] and > then we should be over these problems. > >> Guess what's the "normal user" reaction? "fsck smartcards". > > Yes, some of the configuration steps should be more explicit > (disconnect = leave), and we should support both applets on the smart > card (PIV, OpenPGP) on yubikey [2] to make it working setup for general > users. But I would not say it is impossible nor that we are far. > > [1] http://gnupg-pkcs11.sourceforge.net/index.html > [2] https://github.com/OpenSC/OpenSC/issues/962 > > Thanks for inputs and regards, > -- Douglas E. Engert <DEE...@gm...> |
|
From: NdK <ndk...@gm...> - 2018-01-12 18:46:13
|
Il 12/01/2018 15:04, Jakub Jelen ha scritto: > I am not using web authentication using PKCS#11, but (for the sake of > correct outcomes here) I got to test it today and it works as expected > without any concurrent issues (until you let the GnuPG's scdaemon into > the round) with all the cards I have around, but mostly with PIV on > yubikey. That's good. I'll test again as soon as I find my reader... Were you able to authenticato to a site from FF and then sign a mail from TB w/o closing FF? That's great! > I believe you should give it a try again. You might be pleasantly > surprised (unless the MyEID cards have some different issues than my > cards). I doubt. Mine are quite old, some contact-only and some dual interface, IIRC. But all single applet. > The scdaemon could be replaced with a tool that does not require > exclusive access and talks PKCS#11, such as gnupg-pkcs11-scd [1] and > then we should be over these problems. I remember trying it but IIRC it was quite underdocumented. Hope that changed too :) > Yes, some of the configuration steps should be more explicit > (disconnect = leave), and we should support both applets on the smart > card (PIV, OpenPGP) on yubikey [2] to make it working setup for general > users. But I would not say it is impossible nor that we are far. Well, multi-applet cards are a very different beast... Tks for trying! BYtE, Diego |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X