Il giorno mer, 08/09/2010 alle 19.23 +0300, Martin Paljak ha scritto: > Hello, > On Sep 8, 2010, at 3:15 PM, jons...@terra.es wrote: > > We have tried to compile, install and get running OpenSC 0.12 with Spanish > > DNIe code. > > > > Status: compile,installs, but fails to run trying to stablish secure > > channel. Too many changes > > in debug code, sc_xxx structs, API changes... and not sure about > > correctness of some patches I've done > Nothing except r4008 [1] is important to the DNIe, and it is a rather > cosmetical change, the der->content move. > The rest of sc_debug related code changes are many, but straightforward (and > annoying). The code seems OK to me, but .... > > > You can see the discussion (and Martin's suggestions) at Kriptopolis site: > > http://www.kriptopolis.org/opensc-dnie-linux
I'm reading that page (hoping that my understanding of Spanish is adequate), and i see " ..Y que el DNI Italiano -que es clavado al español- con su "secure channel", sus claves privadas y tal y tal ya está integrado plenamente en OpenSC..." If DNI Italiano == CIE (Electronic Identity Card) , and if "clavado" means "strictly coupled", I'm sorry but this is not true. CIE does not use "Secure Channel" implementation by means of secure messaging, at least not for normal use of the card (which carries only Authentication Certificates and not Non-Repudiation, so it is not used to create legally binding Electronic Signatures). The version in trunk is covering only that use of the card (https client auth for instance), and in fact Emanuele took away SM implementation that Viktor Tarasov is implementing in a general way. I'm very curious about SM in DNIe , is it used in normal operations by the card holder (passing PIN, PKCS1 encryption) ? In that case, SM uses symmetric cryptograpy? And how SM static key distribution problem was solved? In Italy SM is used in this way in CNS cards, (which are interoperable with CIE for Authentication purposes), only for digital signature operations. Some Italian Certification Authority claims that SM is mandatory for obtaining EAL4+ assurance Level. What are your thoughts about that? To my knowledge, in Italy, SM keys are embedded in pkcs11 cryptokis, and I know already the opinion of Viktor on that: "As for me, there is no sense in SM keys embedded in the middleware."[1] I definitely agree, but it would be nice to hear that some other reasonable way of doing SM for card holder operations is in place. bye, Roberto Resoli [1] http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg06269.html _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel