On Thu, Jun 10, 2010 at 14:20, Ludovic Rousseau <ludovic.rouss...@gmail.com> wrote:
> The advantage of using a HID interface instead of CCID is that, on > Windows, any user application can talk to a HID device without > installing a driver. > With a CCID interface and an old Windows (before Vista I think) you > have to install a CCID driver and then you need to have the > administrative access rights for that. I can confirm that the same should apply to OS X. > Vendors are dreaming of a world of zero-install (no admin rights > needed) and zero-footprint (no files copied on the hard disk). You > just plug your device and you can use it (using autorun). Of course my considerations about security depend strongly on the threat model – a lot of compromised machines are compromised enough that malware can work with admin rights, so I admit it doesn't make a lot of difference in that (common) case. > On GNU/Linux it is different. The kernel HID driver will use the > device and you need to be root to disconnect the device from the HID > driver and use it the way you want. My tests show that these HID devices are caught by the hidraw driver, so they are ready to be accessed from the userland. Still, one has to reconfigure udev to assign privileges to the right user (or to the console group, etc.) for things to be automatically ready every time that the token is inserted; either that becomes the default in mainstream distros, or users should be happy with an "almost-zero install" experience. > Doing AES in hardware is not expensive and is fast. Good! (I'm not up-to-date with any of that – it shows, doesn't it? :D) I wouldn't be able to suggest whether the best approach would be a new driver for pcsc-lite, OpenCT, or an OpenSC reader module; probably one of the first two would be more flexible/recyclable, since they could be used in other environments, and on the other hand a "key-portable" version of OpenSC could open and use their libraries as well. Bye, -- Emanuele _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
