Dear all, because the release of opensc 0.12.0 isn't far away, I had a look at the NEWS file to see which improvements it will bring to us. After reading this list of changes some questions arises to me:
1. From my perspective the most important improvements are bug fixes and additional driver support. These could have done in a 0.11.x release too. Therefore my first question is: Where are these major improvements, which let to the API/ABI break in the upcoming version of opensc? And why they are worth of doing so? 2. The announcement of the GOST public key algorithm seems to me very optimistic. Because the current implementation isn't functional at all [1][2]. It would be very surprising to me, if there is at least one single person who could explain (to an ordinary user) how to get this stuff to work. Question: Why declaring such non functional stuff as a new feature? 3. The use of openssl in some drivers is also very questionable. For example there are a handful of drivers which use openssl for every cryptographic operation. That means, these drivers will extract the keys from the card and operate with them on the host side. In combination with the "insecure default setting" this makes card cloning an easy task. So, what could have been done in a new major version? Watching on the list of open tickets, there are many issues besides graphical installers and new drivers. Some suggestions: #70 is maybe not specific to mozilla. An entry in the configuration file could help. It would empower the user to explicitly name the applications for which the non-repudiation keys and certs are visible. #110 would be nice, if a module written for "0.12" is working for all 0.12.X releases #151 is one of the most important issues of opensc. It is caused by the fact, that opensc doesn't evaluate the pkcs15 structures on smart cards very well. This prevents interoperability in both directions. Cards initialised with opensc won't work with other libraries and vice versa. Viktor Tarasov has supplied a first patch [4510]. A followup could be found here [3]. In short: Not evaluating/populating the supportedAlgorithms structure in TokenInfo makes it nearly impossible to handle pkcs15 cards correctly. #158 could be closed, because the named check is at the right place, and should stay untouched #220 seems to me, that the attached patch only works for pkcs11-tool. What will happen if anybody wants to use this kind of token with mozilla. Why not using the emulation layer? p15card.flags |= SC_PKCS15_CARD_FLAG_LOGIN_REQUIRED #252 the reporting user has a card initialised with software by siemens. So this ticket doesn't belong to pkcs15init. The problem is caused by the fact that opensc is evaluating the proprietary security attributes of EF and DF (tag 86 in FCI) and not evaluating the "CommonObjectAttributes.accessControlRules" To summarise my impression of the upcoming 0.12.0 release, the feature set is low. The most user visible things are the graphical installers and the support of new cards. Other changes are bug fixes and small improvements. Things that have could been done in 0.11.X releases too. While there will be more supported cards in the new release, the support of REAL pkcs15 cards is still the same. Which isn't impressive at all. This will hopefully change in the next major release 0.13.0 which may be years away. Remember that 0.11.0 was first released in the year 2006 [4]. Another point to mention is, that non of the upcoming releases has improved support of real pkcs15 cards as it's goal [5]. Changing this, could be a good point to start to make opensc more interoperable with well initialised pkcs15 cards. Kind Regards Andre Zepezauer [1]http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/pkcs15-sec.c#L86 [2]http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card.c#L725 [3]http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014618.html [4]http://www.opensc-project.org/opensc/browser/releases/opensc-0.11.0/NEWS [5]http://www.opensc-project.org/opensc/roadmap _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
