Am Freitag 16 April 2010 09:38:16 schrieb Anders Rundgren: > If you wanted to provide a USB PKI token that would give the user maximum > flexibility it seems that the device should support CCID. > > 1. As I understand,CCID only provides the basic communication and does not > address higher level issues such as PKI, right?
CCID is "reader level" i.e. how to talk to the card, make sure that both small and large data blocks can be transfered, communication speed, detecting and resetting cards, and - if the reader has a pinpad - then also pinpad operations. my view on this issue is this: if you buy a smart card reader or usb crypto token, make sure it works perfectly with the original microsoft CCID driver, and the open source libccid driver for linux. if the device needs its own driver instead or has any problem with those standard drivers, it is not worth the hazzle and should be avoided. (not comment on mac os X, as apple seems to be slow in using the lastest libccid, and maybe does strange modifications on it...) > 2. Would a token that emulates FIPS201 and CCID be usable in most > systems as is or is there another emulation that would be better? no idea what FIPS201 is. > 3. You would need to "hijack" somebody else ATR in order to emulate > in a (for the user) hassle-free way? > > 4. Other question: CCID allows you to exchange arbitrary data between > the token and the host, right? with pcsc subsystem and a driver for it, you can ignore the details how the device it attached to the pc (usb / serial / build-in), and what vendor and product it is, as all that is solved. you can now focus on the card. each card of course is different. it starts with the ATR and then you have all the card capabilities, the commands, the security model, and unique features. hard disks are great - you can replace them, and they only differ with speed and storage size and maybe seek time, but to the pc they all look the same, and that is great - buy a new one, copy the data, replace the old, done. in the smart card world everyone is doing their own thing, trying to be different, implements different commands, different profiles, different algorithms, different security modules, different features and so on. that prevents unification and keeps the prices high. of course there is javacard, but it is expensive due to the patent fees, and it doesn't help much, as everyone implements different applets on top of it, so the result is different again. if you build a new device, and can implement any atr and command set etc. that you want, you could clone some well known product, but that would most likely get you into copyright issues, even if only the interface was copied. (I'm no lawyer, so no idea here.) but maybe iso 7816-* is now good enough to code those commands the iso spec has for a full working card? I'm no expert on the later parts, as each card I know is different from them anyway. Regards, Andreas _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
