On 11/27/06, Ludovic Rousseau <[EMAIL PROTECTED]> wrote:
On 26/11/06, Andreas Jellinghaus <[EMAIL PROTECTED]> wrote:
> Hi,
Hello,
> the works of smart card software is confusing, so many open source
> project. what do you think: shall we start a wiki where we list
> each software, describe what it does, link to it etc?
That would be great.
I sometime discover new smart card applications/programs (like the
pkcs11-helper from Alon Bar-Lev) that could have helped me.
Thanks!
But before we do, I think we need to define what is smartcard support...
There are quality criteria that should be listed for each application,
describing its level of support.
For example:
1. You don't expect application to require the user to store the PIN
hard coded in configuration file... This behavior was in *supplicant
projects which uses engine_pkcs11. I have an initial working patch
using pkcs11-helper that uses its management interface in order to
prompt user.
2. PIN should be requested from the user only when required, for
example NSS (Mozilla) asks for PIN to access token, even if it could
have read certificate without bothering user. When I tried to work
with NSS developers I got responses like "Your provider is bad, we are
OK", but it is not true.
3. If the user removes and inserts his card, the application should
reprompt for PIN when private object is accessed.
4. If the user removes the card from one reader and insert it to
another reader, the application should detect that it is the same
card, and not prompt the user for credentials again.
5. If the user opened a session/operation with object on a token, and
remove the token, the application should request this specific token
when it tries to perform private operations. For example NSS (Mozilla,
thunderbird) just fails SSL session, S/MIME operation. I tried to
raise this issue with NSS developers, but to solve this one their
interface should be modified...
6. Application should support gaining credentials from external
devices (Biometric, reader keyboard), if underline provider supports
this.
7. If application uses persistence connection, such as VPN or SSL
session which initiated by smartcard operation, the session should be
disconnected (if requested by user) once the smartcard is removed.
8. Application should allow user to specify timeout after which the
user will be forced to re-enter PIN.
9. If application supports a standard interface, such as PKCS#11, it
should allow to load more than one provider, so application can serve
different users with different devices.
I worked hard to solve these and more issues within the scope of
pkcs11-helper... But most requirements are not PKCS#11 related.
I think that grading application by the quality of smartcard support
will serve users best, and will provide a way for developers to
understand what is required from their side.
So first we need a baseline...
Best Regards,
Alon Bar-Lev.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
