Hello,
On 07.01.2011 22:21, Jean-Michel Pouré - GOOZE wrote:
Because users have smartcards in the wallet and need to connect from any
computer, including Mac OS X, Windows and GNU/Linux, and they don't know
in advance which framework is installed, it seems important that card
initialization is consistent between proprietary drivers and OpenSC.
Actually it's the case for Oberthur's AuthentIC v2 ('oberthur' driver) and for
Oberthur's AuthentIC v3 ('authentic' driver).
For the first one the 'native' (expected by the producer's middleware) on-card
file system is not PKCS#15.
But OpenSC implements the emulation of pkcs15 and pkcs15init and thus
this card can be initialized and used by OpenSC and can stay compatible with
the native middleware.
For the second one it's easier, because the 'native' on-card file system is
compatible with PKCS#15.
OpenSC support of the both cardsat the development stage was (is) regularly
tested for the compatibility
with the 'native' middlewares.
I tried different scenarios with the Feitian PKI.
It seems that initializing a Feitian PKI on Windows 7 64bits (CSP), you
are able to use the card on GNU/Linux (OpenSC). But the converse is not
always true. Windows may not accept the PIN code or declare certificates
invalid.
IMHO, it's possible for OpenSC to support the on-card
file system expected by the 'native' middleware. Probably this format will not
be completely pkcs#15, but that's what for the OpenSC emulation was conceived.
For that it's preferable to have full card specification.
But it's absence is not an obstacle -- USB sniff and content of the card
initialized by native middleware
will show the source of incompatibility.
So I did a simple test:
* Under Windows 7 64 bit: use only Feitian tools.
* Under GNU/Linux: use only OpenSC 0.10.0 + Firefox.
I initialized a card with PIN code 0000 and transferred a certificate
using Firefox. This is what users are going to do if they enroll on
online servers, which I expect.
Please find hereafter a compared dump of the cards.
My questions are:
1) Should the PIN and RSA/certificate flags consistent for all drivers.
Is that important for Windows 7 or OpenSC? Please notice the difference
in the PIN flags.
2) If the flags are important, could we consider some kind of
initialization option like --windows, which would add the same flags as
if initialized by proprietary drivers.
3) Can the flags be modified after a card is initialized by OpenSC. I
would like to study the importance of flags.
4) The PIN flags are from OpenSC.
5) Most flags are from RSA/X.509 certs. Do OpenSC or Firefox add flags
during transfer of certs.
Basically, I would like to be able to initialize cards and users are
never aware this was OpenSC and not the proprietary drivers. Is that
possible?
Sorry for all these questions, I hope this can be useful for basic
users.
Kind regards,
Kind wishes,
Viktor.
--
Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
