Hello Alon, On Fri, May 6, 2011 at 20:22, Alon Bar-Lev <alon.bar...@gmail.com> wrote: >> For the sake of usability, exclusive mode should only be used *if needed*. >> From security perspective, it does not really matter, because if your host >> is compromised, such software tricks are worthless. But daily smart card >> usage usually means using different applications. >> > > This is incorrect. > Computer may be compromised in so many levels. True.
> It is true that if someone has total (root) control over the computer, > he may do whatever. > However, other none privileged user MUST NOT be able to gain access to > resources used by other users. That's desirable yet not a trivial task. Definition (and enforcement) of a "current user" in both technical and physical terms is not always obvious, looking into what has happened with Linux in this world (with *Kit, device management daemons etc) is IMHO a confession of this, as it still seems like a moving target. And at what level should this be enforced? Sometimes a USB flash disk is used as a "personal device" yet from filesystem it looks like any other path that can have different permissions. And then there is the question of interoperability with Windows. Some systems are designed to be a "single user desktop" even if built on top of multiuser system, some try to retain multiuser properties. > Well, you can argue: if I modify the access to readers to a specific > user, then no other user can access the device anyway. > If this is enough for users, let it be. > I don't think it is enough, as this state is not much different than > using file based cryptographic. Yes, that's why IMHO a second physical channel (like a pinpad) should be used if needed. With a PIN entry on the device for every use tightly controlling access to the key if required. Once you use cookies, then stealing it from an application and abusing it is possible, even if made complicated by technological means. For generic PKI smart cards, in my opinion, priority one is guaranteeing the secrecy of key material, priority two is controlling access to operations with the key. Smart card is a physical device that guarantees key secrecy, pinpad reader (or equivalent physical device, biometric for example) guarantees access control that is not easy to tamper with. Everything else is software security. > I know we do not agree on this, but I have never seen hardware > cryptography using any similar assumption. I would not draw a hard border of agreeing/not agreeing :) I just think that there's a reasonable risk/cost ratio at the moment, as well as is the situation with other similar "fundamental problems" with PKI (like embedding secure messaging keys in middleware? why use them at all in this case?). And that an ultimate solution that would work on all platforms (and all interfaces, including other than PKCS#11) and all usage patterns (where there is no "current user" for a token) is easily doable. Ideas on how to more tightly control access to the devices while keeping support for multiple applications with multiple cryptographic APIs are most welcome. But it should work sensibly with pinpad readers and cards that do not support the mentioned cookie machinery as well. What I believe in is providing a real life working solution by default ("Ubuntu style", which manages this nicely by doing some "stupid things" along the way), with the option of tweaking for setups with specific requirements or just more paranoid people. Cheers, Martin _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel