the reason we started looking at eToken's was to make grid access *easier*, not harder ;-) (see http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/Using_an_Aladdin_eToken_PRO_to_store_grid_certificates for a writeup on how to use Aladdin's RTE software to access eToken's from Linux)
We're developing grid software, which makes extensive use of X509 certificates. These are a pain in the butt for our users, esp. when it comes to security, keeping track of your private key etc etc. The ultimate goal is to supply users with an etoken (or any crypto smartcard in usb format, really, that works on both Windows, Linux and MacOS). With this etoken they then have transparent access to "the grid", be it using a browser, using linux command-line tools or using a certificate-enhanced version of ssh/putty (gsissh) . If we have to tell our users that an etoken will make life a lot easier/safer etc *but* they have to keep track of their certificates in two separate ways on linux and windows then I can already predict what they'll tell me ;-) So, I'm looking for a solution that will allow our users to store (and generate!) their grid certificate safely on a crypto usb key. They will want to do this only once, as you can imagine (getting the certificate signed requires a full ID check ). After that , the idea is that they can plug in the usb key into their systems wherever they are and poof, magic happens, and they're authenticated on the grid. Right now we use Aladdin RTE software to do this, as this is "cross-platform transparent" (ugh) but unfortunately is also not open source. Thus, if I could get the open source software to work together with the (commercial) GUI on windows then that would be really great. I don't need PKCS#15 for this, just PKCS#11 access that works the same on all platforms... We'd be willing to send one of these eToken PRO 32K's to the opensc developers if that would speed things up ;-) regards, Jan Just Keijser System Integrator Nikhef / Amsterdam Eddy Nigg (StartCom Ltd.) wrote: > Douglas E. Engert wrote: >> >> Sounds like a emulation routine could be writen. Has anyone looked >> at that? I would assume you would want to use the same certificates >> as used with Windows and the vendor's other software. > One could maybe receive the relevant docs from Aladdin, but to all of > my knowledge requires one to sign an NDA. What can be done afterwards > and what the NDA implies is still a question. I have been discussing > this a little bit with Nils. On the other hand I'm not sure if it can > be reverse engineered and what's the effort? Or did you have something > else in mind (emulation), combining both software and use the pkcs11 > interface of etokend from Aladdin? > > Usually I suggest to either use the software provided from Aladdin > which works on Linux and Windows or OpenSC (which should work on MAC > too). Well...at least when we get it back working ;-) > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
