Andreas, Thank you for verifying that Microsoft's opinion that the card industry is striving for "card-edge compatibility" making you only need a single Microsoft-supplied driver, is completely unfounded!
Although you didn't mention it, card initialization is the thing that really makes things difficult for customers. FIPS201/PIV does not even specify that part and we surely understand why :-) I'm still quite uncertain on what to emulate in order to get a middleware-free token. CCID yes, but above that level things looks much more unclear. Regards, Anders continuing the slow but not ceased development of a token that the card industry could never do... Andreas Jellinghaus wrote: > Am Freitag 16 April 2010 09:38:16 schrieb Anders Rundgren: >> If you wanted to provide a USB PKI token that would give the user maximum >> flexibility it seems that the device should support CCID. >> >> 1. As I understand,CCID only provides the basic communication and does not >> address higher level issues such as PKI, right? > > CCID is "reader level" i.e. how to talk to the card, make sure that > both small and large data blocks can be transfered, communication > speed, detecting and resetting cards, and - if the reader has a pinpad - > then also pinpad operations. > > my view on this issue is this: > if you buy a smart card reader or usb crypto token, make sure it works > perfectly with the original microsoft CCID driver, and the open source > libccid driver for linux. if the device needs its own driver instead > or has any problem with those standard drivers, it is not worth the > hazzle and should be avoided. > > (not comment on mac os X, as apple seems to be slow in using the > lastest libccid, and maybe does strange modifications on it...) > >> 2. Would a token that emulates FIPS201 and CCID be usable in most >> systems as is or is there another emulation that would be better? > no idea what FIPS201 is. > >> 3. You would need to "hijack" somebody else ATR in order to emulate >> in a (for the user) hassle-free way? >> >> 4. Other question: CCID allows you to exchange arbitrary data between >> the token and the host, right? > > with pcsc subsystem and a driver for it, you can ignore the details > how the device it attached to the pc (usb / serial / build-in), and > what vendor and product it is, as all that is solved. you can now > focus on the card. > > each card of course is different. it starts with the ATR and then > you have all the card capabilities, the commands, the security model, > and unique features. > > > hard disks are great - you can replace them, and they only differ > with speed and storage size and maybe seek time, but to the pc > they all look the same, and that is great - buy a new one, copy > the data, replace the old, done. > > in the smart card world everyone is doing their own thing, trying > to be different, implements different commands, different profiles, > different algorithms, different security modules, different features > and so on. that prevents unification and keeps the prices high. > > of course there is javacard, but it is expensive due to the patent > fees, and it doesn't help much, as everyone implements different applets > on top of it, so the result is different again. > > if you build a new device, and can implement any atr and command set etc. > that you want, you could clone some well known product, but that would > most likely get you into copyright issues, even if only the interface > was copied. (I'm no lawyer, so no idea here.) > > but maybe iso 7816-* is now good enough to code those commands the > iso spec has for a full working card? I'm no expert on the later > parts, as each card I know is different from them anyway. > > Regards, Andreas > _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
