Hello, On 07.01.2011 22:21, Jean-Michel Pouré - GOOZE wrote:
Because users have smartcards in the wallet and need to connect from any computer, including Mac OS X, Windows and GNU/Linux, and they don't know in advance which framework is installed, it seems important that card initialization is consistent between proprietary drivers and OpenSC.
Actually it's the case for Oberthur's AuthentIC v2 ('oberthur' driver) and for Oberthur's AuthentIC v3 ('authentic' driver).
For the first one the 'native' (expected by the producer's middleware) on-card file system is not PKCS#15. But OpenSC implements the emulation of pkcs15 and pkcs15init and thus this card can be initialized and used by OpenSC and can stay compatible with the native middleware. For the second one it's easier, because the 'native' on-card file system is compatible with PKCS#15. OpenSC support of the both cardsat the development stage was (is) regularly tested for the compatibility with the 'native' middlewares.
I tried different scenarios with the Feitian PKI. It seems that initializing a Feitian PKI on Windows 7 64bits (CSP), you are able to use the card on GNU/Linux (OpenSC). But the converse is not always true. Windows may not accept the PIN code or declare certificates invalid.
IMHO, it's possible for OpenSC to support the on-card file system expected by the 'native' middleware. Probably this format will not be completely pkcs#15, but that's what for the OpenSC emulation was conceived. For that it's preferable to have full card specification. But it's absence is not an obstacle -- USB sniff and content of the card initialized by native middleware will show the source of incompatibility.
So I did a simple test: * Under Windows 7 64 bit: use only Feitian tools. * Under GNU/Linux: use only OpenSC 0.10.0 + Firefox. I initialized a card with PIN code 0000 and transferred a certificate using Firefox. This is what users are going to do if they enroll on online servers, which I expect. Please find hereafter a compared dump of the cards. My questions are: 1) Should the PIN and RSA/certificate flags consistent for all drivers. Is that important for Windows 7 or OpenSC? Please notice the difference in the PIN flags. 2) If the flags are important, could we consider some kind of initialization option like --windows, which would add the same flags as if initialized by proprietary drivers. 3) Can the flags be modified after a card is initialized by OpenSC. I would like to study the importance of flags. 4) The PIN flags are from OpenSC. 5) Most flags are from RSA/X.509 certs. Do OpenSC or Firefox add flags during transfer of certs. Basically, I would like to be able to initialize cards and users are never aware this was OpenSC and not the proprietary drivers. Is that possible? Sorry for all these questions, I hope this can be useful for basic users. Kind regards,
Kind wishes, Viktor. -- Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel