Hello, On Sep 17, 2010, at 11:00 PM, Peter Stuge wrote: >> An introduction on how hardware security devices improve the >> situation and how smart cards and tokens are the cheapest and thus >> most available key containers. > > In my experience this kind of info is not distributed so efficiently > in a booth. I am not arguing against a booth at all - it can be a lot > of fun and is a great way to get new people interested in the > project! > > But for something like the above a presentation is unbeatable, > especially if it gets recorded and published online somewhere.
Indeed. But without some background information smart cards, tokens and readers are just fancy pieces of hardware. People confuse card readers (secure digital) and smart card readers (ISO7816). Unless they know that there are services "out there" that can be used with eID cards, the apparent candy from smart cards is not that obvious. "So you can use it to long on a remote site with SSH and a smart card. Hey, I can do the same, and I don't have to enter a PIN code for my key on the disk!" Awareness and education among end-users and developers is what is needed, IMHO. A plain stand will be fancy, but it is harder to just "get" OpenSC and smart cards than it is to grok VLC or Apache. >> As more and more people have eID cards and there are both services >> (online) and applications (ssh) that can make use of them, eID is >> important as well. I guess we need to verify the list of actuallly >> supported eID cards to sound credible with the supported hardware >> list. > > I think this is a really important point, and this is the way that > "everyone" can get into OpenSC. But if getting "everyone" into OpenSC > then it's also critical to demonstrate that it can actually work and > talk about what pitfalls to avoid. Correct. I believe the possible booth should have both horizontal and vertical aspects. Horizontal: different platforms (Linux, Windows, Mac), different smart cards and tokens (eID, OpenSC personalized), proprietary PKCS#11 modules (yes, for pam_pkcs11 it does not really matter). Key theme could be interoperability and usefulness. Vertical: Technology in depth. Deep Linux integration (login, applications, extensions to web), personalization, A vertical application stack with many features but locket to a single vendor would be a casual trade show, OpenSC should focus on openness, interoperability and choices (to a reasonable extent). As the main focus is on free software, *nix is the theme and cooperating with GnomeKeyring folks for an integrated demo could be fun. I've not yet had the time to check what exactly GnomeKeyring provides/uses in PKCS#11 terms, but I plan to do it in the coming weeks (when my new linux-only workstation arrives) >> What would be the ideas for the booth? > > I think any booth should demo state of the art technology, with at > minimum one killer feature, but prefereably several. A killer feature > is something that every visitor who stops by the booth will > understand and appreciate. > > So; what I would love to see in a booth is a system with graphical > smart-card login, bonus points for text-mode login, lock on card > removal, intelligent card insertion while locked (same card vs. > different card inserted), same card can unlock with PIN, different > card politely explains that the system remains locked. Maybe (big > maybe) a security officer card which can *also* unlock the screen > and take over the session. Hopefully people from other projects would be present. To have a well integrated demo, possibly changes are needed to related projects (GDM). > Also, web authentication using the card. Maybe two cards with > different profiles/ACL, one allowing direct access to the web site > since the user is already logged-in to the system via card. Another > maybe requiring authentication for every use of the card. CKA_ALWAYS_AUTHENTICATE is unfortunately not supported by NSS/Firefox. Should write it down in the wishilist... > Form/document signing and signature verification would also be nice. > PGP key signing is always a big thing at FOSDEM, any way to overlap > with GnuPG and maybe the OpenPGP card would be good. FSFE are present > there, and all FSF Fellows have a card. It should be usable in the > OpenSC booth. There's a difference in "signature" and "legally binding signature". OpenPGP card interoperability on PKCS#11 level should be OK. Maybe even the new cryptostick (OpenPGP v2) card support in OpenSC will be present by then. > A killer feature would indeed be if people can user their *own* cards > in the demo system(s) in the booth, without any setup required. This > of course requires some preparation, to recognize the issuers. Maybe > it's only feasible to prepare this for one single issuer, then I'd > suggest to make that the one used for the FSF(E?) fellows' cards. I think this will be the best field test to document "what's out there". > Email signing of course, ideally not only with a local app, but also > a web email app, though that may be complicated. E-mail interoperability on Linux (Thunderbird) and Mac (Mail.app) would be nice demo. > > SSH and VPN using card. > > This was my brainstorming. :) I would be happy to see any one of > these things demoed in an OpenSC booth, but of course it would be > amazing to show all of them! Good start. Maybe a shared mindmap on mindmeister.com and a related wiki page will help to organize the ideas better. > > I was at FOSDEM last year and had a great time. It was really > difficult to manage to spend time with everyone I would have liked > to, while at the event. The evenings are also important to plan a > little. We had a coreboot devroom last year and a couple of coreboot > people went for dinner and drinks; one of the few times a couple of > developers have managed to actually meet. There are other happening, that are more security oriented than FOSS (and OpenSC matches both): http://2010.brucon.org/index.php/Main_Page http://2010.hack.lu/index.php/Main_Page (has a smart cards workshop) > Pretty much every project will do it too and I think it's important > to announce it so that noone misses out on it that would have liked > to join. :) > > Bring cab money or good walking shoes; public transport stopped at 1am. :( Going abroad without good walking shoes is a very bad choice usually :) -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
