El vie, 06-05-2011 a las 16:43 +0200, Jean-Michel Pouré - GOOZE escribió: > Le vendredi 06 mai 2011 à 17:24 +0300, Martin Paljak a écrit : > > But daily smart card usage usually means using different applications. > > OK. But shared mode does not work very well, especially with OpenSSH and > Iceweasel (Firefox) together. I did some heavy testing and found > usability problems in shared mode. IMHO, shared mode is not usable. > Could someone confirm.
Sure me not: For Spanish DNIe shared mode is the _only_ way to get so many applications working: A typical example is an authenticated https connection that loads and run a document signing applet. ( this is a common issue in many gov webpages ) OpenDNIe has an interesting issue related to Secure Messaging and shared mode: DNIe does not support logical channels with separated SM queues for each application. Every concurrent application _must_ share same Secure Channel... So my first approach was to "solve" as you suggested: forbid concurrent applications to make sure that there is only an SM channel at a time. But this approach failed with most of our e-admin public web pages. So exclusive mode is a no-no for me. Second approach was to implement a "secure channel server": divide OpenSC into a client-server application in a way that only the server talks with the reader driver... but too complex, and also found that many apps still try to bypass server and access directly to pcsc :-( So finally my solution was a "collision detector": first app open a card connection and creates an SM channel. When second app starts, some app (or both) receives "SM error" response; then just restart SM and retry. With proper locking this solution work in most tested scenarios... ... Due to the "Init & forget" common approach of most pkcs11 applications: For instance Firefox, calls C_Init at start... and forget pkcs11 until (really) needed. So any signing applet can in turn starts his own pkcs11, restart SM, do the work and call C_finalize. When firefox finally needs to access pkcs11, just receives his own "SM error", restart channel and continues normally Sure: there are some cases where these approach fails: SSL renegotiation when signing applet is running; two pkcs11 trying concurrent access to the card... but this is not as usual as thought. .......... About security: I agree: We need some way to ensure that only one user can access to the card at a time Juan Antonio _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
