On 1/8/2011 9:11 AM, Jean-Michel Pouré - GOOZE wrote: >> But OpenSC implements the emulation of pkcs15 and pkcs15init and thus >> this card can be initialized and used by OpenSC and can stay >> compatible with the native middleware. > > I want to make sure, so that everyone understands: the Feitian PKI can > be initialized and used under GNU/Linux, Windows and MacOSX. > > It is only that initialization under Windows gives additional flags. > > I would like to know the importance of these flags for Windows OS. It > seems that the Windows OS requires some flags and this is not yet > documented on OpenSC mailing list. I suspect these flags to allow > smartcard logon and so on.
On Windows 7 and Vista are you using the OpenSC drivers with some CSP/minidriver, or Feitian provided drivers and CSP/minidriver, or does Windows come with a Feitian driver? My experiance with Windows smartcard login, is using the smartcard with login to a domain. This uses the Kerberos PKINIT protocol, RFC 4556. Windows 2000 could do an earlier version of this too. There are no additional flags for a smartcard driver but the certificate may need to have a subjectAltName with a MSUPN, and the CA must be trusted by AD. as well as some extensions. These are outside of any PKCS#15 or OpenSC flags. Google for "Windows Vista Smart Card Infrastructure" There was a 67 page document from 2007 that could be interesting. But as has been pointed out, the PKCS#15 flags initialized by OpenSC for the PIN and the private keys don't look correct, and may only be working in Unix systems with OpenSC because they are being ignored, whereas on Windows they maybe being checked. i.e. Windows driver looks for a certificate (and maybe pubkey) that can verify and matching private key that can sign. Martin's note 1/9/2011 looks like it addresses all these ifferences. P.S. PKINIT can also work on Unix to AD (or to other Kerberos KDC) by using pam_krb5 that has pkinit support that uses PKCS#11 to OpenSC. I can use my government issued PIV card or a PIV card where I get a certificate from our Windows CA to login at a windows or Unix machine to AD. > > Kind regards, -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
