Justin Karneges wrote:
Hi folks,
I'm just trying to wrap my head around all of the various protocols involved
in smart card use, and today I was reading the OpenSC website and it got my
mind going again. I'm glad that the website finally discusses these
important details.
Now, PKCS#11, as mentioned on the website, is not limited to smart cards.
However, all other protocols down the chain are, so for sake of this
discussion we'll assume we are only working with those gold-plated,
square-shaped smart card things, created in the year 1812.
It seems that there are 4 communication areas:
1) I/O to the smart card
2) I/O to the reader
3) filesystem layout/control for reading
4) filesystem layout/control for all else
My biggest gripe about smart cards is that they are unusually proprietary.
Even if one part is standardized, another part is not. You can't just use a
given smart card in a given computer without performing a very specific setup
process for that card (which may include installation of a specific reader).
Yes propriety vendor solutions are a major problem. Have a look at the
PIV card comments at:
http://www.opensc-project.org/opensc/wiki/UnitedStatesPIV
The intent is to standardize on multiple vendors for cards,
multiple vendor's for readers, and multiple vendors for middle ware.
Thus avoiding the proprietary problems with a single vendor.
The components that have passed the interoperability testing
are on the list at:
http://fips201ep.cio.gov/apl.php
But all this standardization is limiting. With PIV there is a predefined
set of objects that can be on the card, and it is meant to be read only
for the end user. Administration of the card is left up to the card
vendor's to work with the administration software vendor's.
The NIST standards define the middle ware and talk of "logical access"
and hint at PKCS#11. The OpenSC support of the PIV was designed to
provide PKCS#11 access on systems where vendors have not provided
the middle ware. The access is to the authentication cert and digital
signing cert so as to work with Web browsers and Kerberos PKINIT,
i.e. can be used to authenticate to Windows AD.
Sorry for being so long winded about a specific class of smart cards,
but PIV addresses a lot of the concerns you have with the smart card
industry, but based on your company's web site, may not apply
to you.
There would appear to be a standard for #1. I don't remember what it is
called, but it involves the ATR and then T=0 or 1 and friends. However, my
experience with hacking on the Eutron driver showed that that either there
are still vendor-specific issues (bugs? workarounds?) to iron out, or OpenCT
is simply incomplete.
For #2 we have CCID. This seems to be about the only thing we can count on to
work. Can anyone correct me?
For #3 we have PKCS#15. Why this only applies to reading, I don't know, but
99% of smart card applications are read-only so this is still a very worthy
standard, if it works as advertised that is. Are there any known cases where
PKCS#15 software has been incompatible for read access?
For #4, I guess there is nothing yet. I don't quite understand this, since
anything readable as PKCS#15 must have also been written as PKCS#15, but I'm
sure someone can step in and explain this.
And then there's ICCD. I briefly looked at the usb.org PDF file, and indeed
it does look like a standard for integrated USB crypto tokens. It is dated
April 2005. Does anyone know what is going on with this specification, or if
any devices are in development for it?
Correct me if I'm wrong, but would ICCD count as a standard for both #1 and
#2? I'm confused about this, because if we already have a standard for #1
(ATR, T=0, whatever), then it doesn't seem like we need the ICCD spec at all.
CCID would be enough.
Thanks,
-Justin
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
