Cornelius Kölbel wrote: > Hi, > unfortunately I guess at the moment it will not make it easier for your > users. The integration of smartcards is not seamless into any linux > distribution yet. > Even if all opensc software is installed and your token/smartcard is > recognized, the user will still have to load the pkcs11 lib into his > firefox. Not easier / one more possible step with errors :-/ > Right now I've got it boiled down to - install a single RPM (for RHEL4, Fedora Core 5/6, OpenSuSE 10.x) or install one or two .deb packages on Debian or Ubuntu - follow instructions on how to add the libetpkcs11.so module to Firefox and/or Thunderbird
this seems to work quite well, and if you throw in enough screenshots all users can load the library without too many problems. > But maybe in your szenario it would be sensible to use opensc also on > the windows side? > if a "fully-opensc" solution would work with the etokens that we have then that would be fine with me. Compatibility with the Aladdin RTE software would be a huge bonus but if the opensc solution works better then I am sure that I convince our users to re-initialize their tokens. However, before a fully-opensc solution works I would have to make sure that - initializing our etokens works, including setting of a non-default SOPIN - generating and storing X509 certificates works - integration with apps like Firefox, thunderbird, OpenVPN, Openssh/GSISSH, PuTTY etc works on all platforms (linux+windows+macos). - the script that I have created to generate short-lived proxy certificates also works as well as it does now. Only then would the opensc-solution be a viable alternative. Unfortunately, we're quite a way off from that situation :-( regards, Jan Just Keijser System Integrator Nikhef / Amsterdam > Jan Just Keijser schrieb: > >> the reason we started looking at eToken's was to make grid access >> *easier*, not harder ;-) >> (see >> http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/Using_an_Aladdin_eToken_PRO_to_store_grid_certificates >> >> for a writeup on how to use Aladdin's RTE software to access eToken's >> from Linux) >> >> We're developing grid software, which makes extensive use of X509 >> certificates. These are a pain in the butt for our users, esp. when it >> comes to security, keeping track of your private key etc etc. The >> ultimate goal is to supply users with an etoken (or any crypto smartcard >> in usb format, really, that works on both Windows, Linux and MacOS). >> With this etoken they then have transparent access to "the grid", be it >> using a browser, using linux command-line tools or using a >> certificate-enhanced version of ssh/putty (gsissh) . If we have to tell >> our users that an etoken will make life a lot easier/safer etc *but* >> they have to keep track of their certificates in two separate ways on >> linux and windows then I can already predict what they'll tell me ;-) >> >> So, I'm looking for a solution that will allow our users to store (and >> generate!) their grid certificate safely on a crypto usb key. They will >> want to do this only once, as you can imagine (getting the certificate >> signed requires a full ID check ). After that , the idea is that they >> can plug in the usb key into their systems wherever they are and poof, >> magic happens, and they're authenticated on the grid. Right now we use >> Aladdin RTE software to do this, as this is "cross-platform transparent" >> (ugh) but unfortunately is also not open source. Thus, if I could get >> the open source software to work together with the (commercial) GUI on >> windows then that would be really great. I don't need PKCS#15 for this, >> just PKCS#11 access that works the same on all platforms... We'd be >> willing to send one of these eToken PRO 32K's to the opensc developers >> if that would speed things up ;-) >> >> regards, >> >> Jan Just Keijser >> System Integrator >> Nikhef / Amsterdam >> >> >> Eddy Nigg (StartCom Ltd.) wrote: >> >>> Douglas E. Engert wrote: >>> >>>> Sounds like a emulation routine could be writen. Has anyone looked >>>> at that? I would assume you would want to use the same certificates >>>> as used with Windows and the vendor's other software. >>>> >>> One could maybe receive the relevant docs from Aladdin, but to all of >>> my knowledge requires one to sign an NDA. What can be done afterwards >>> and what the NDA implies is still a question. I have been discussing >>> this a little bit with Nils. On the other hand I'm not sure if it can >>> be reverse engineered and what's the effort? Or did you have something >>> else in mind (emulation), combining both software and use the pkcs11 >>> interface of etokend from Aladdin? >>> >>> Usually I suggest to either use the software provided from Aladdin >>> which works on Linux and Windows or OpenSC (which should work on MAC >>> too). Well...at least when we get it back working ;-) >>> >>> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
