Shawn Willden wrote:
On Friday 21 September 2007 01:10:38 pm Douglas E. Engert wrote:
Not the ones I have seen. The assumption is the user of the card has
physical control over the reader, and is using the machine in front of him.
For authentication, yes. But, as I said, authentication would make no sense
in the scenario I'm describing (and not describing very clearly).
Yes it would, That is exactly what the Microsoft RDC can do, let you
login to a remote computer using your smart card.
Right, but it's a local reader to a remote machine, rather than a local
machine to a remote reader. Or in my case, set of remote readers.
I still wonder if it's ever really necessary to have APDU level
access to a card that is on a remote system. How useful is it to
be able to send raw SCSI commands to a disk drive on another box
for example? Disks are abstracted via filesystems and above that
via network file access protocols that can have appropriate
access controls layered on top of them, yet the issue of being
able to send an APDU from an application on one machine to a card
in a reader on another machine still comes up from time to time.
Is it really necessary to do that? It seems to me that the better
approach would be to abstract the card functionality over the
network (i.e. "sign this", "verify that").
I know that in some cases such as display Windows desktops on
other systems, RDP and related protocols provide a way to
transport APDUs over the network connection, but that's really
a hack designed to get around the lack of a proper security
abstraction layer on the system that is displaying the Windows
desktop.
With that said, I also know the reality of the world today where
a Windows-based GINA smartcard middleware layer wants to talk
to a card, not some abstract interface, so until that kind of
situation gets sorted out, or people start using network based
security protocols such as Kerberos, we're not going to move
beyond the need to exchange APDUs over a network connection.
mike
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
