Hello, Allow me to start by announcing that I am new to PKI smart-card management with OpenSC, and have only had experience working with Aladdin eToken devices and their proprietary middleware. However, I am fairly well versed in the concepts and fundamentals of PKI in general.
I've been reading through old mailing list entries, and I have read the FAQ, as well as the "getting started" guides generously provided on the OpenSC site. I've also done a bit of research across the 'net. However, I believe my question is a bit too general, and at the same time, too unique to easily hunt down, and would appreciate some guidance. I'm in the process of preparing a migration from Aladdin USB eToken (CardOS 4.2) PKI tokens to credit-card contact chip PKI ID cards with built-in OTP functionality. The vendor has provided me with the specifications for the chips (Infineon SLE66C44PE_0105) which are CardOS based. I'd like to know what kind of questions I need to ask the vendor to ensure that the product I finally decide to order can be fully initialized and managed by OpenSC on my Linux system. (Being an old Slackware user, I am not afraid to compile stuff myself, but currently plan to use the Ubuntu 10.10 packages from the management system I already have in place if they will work.) I also need these cards, once initialized, to be used under Linux or Windows systems for general PKI purposes. (Email/certificate login/etc) Here is some information and a few requirements as I can think of them: - I've already validated that the electronic interface will work with our existing card readers (integrated, and USB). - We use 2048 bit RSA keys from certificates generated on an Active Directory (yeah... I know) 2008 R2 infrastructure, and imported onto the cards. - I have OpenSC and Linux compatible card readers (SCM SCR3311) in use and working on the Linux systems. Our Windows systems will be using built-in card readers that are fully functional in Windows. - I would like the ability to use a 3rd-party application (PKCS#15 compatible) to store a small piece of data on the card. (This is a Windows application, and will only be used on the Windows systems) - I intend to develop (read: throw together) a small front-end web-UI to the CLI tools to ease card management for some personnel involved in the initialization and management of the cards. (I'll stick with the CLI myself) - I would like to ensure there is enough space to store more than one certificate, plus the extra data used by our 3rd-party app. I believe the 3rd party app simply creates an object containing a hash or key of it's own, and is relatively small. 2048 bits max. We had to upgrade our 32k Aladdin USB tokens to the 64k versions to allow for full functionality of the built-in OTP and PKI functions with 2048 bit keys, so I am working off of the concept that 64k should be the right amount of minimum memory to shoot for on this chip as well. - The vendor has indicated that the built-in OTP function of the card can have the OTP seed programmed through the contact chip. Is anyone familiar with this? Is it something I might be able to do through OpenSC, or will that require some other application? Here's what I know I need to tell the vendor based on things I have researched from OpenSC sources and my own experiences so far: - I need the chips blank, not pre-initialized. - I need to know what version(s) of CardOS are available for shipment on that chip - I need to have 64k of memory available for certificate and object storage - I need the chip to support 2048 bit RSA keys, and SHA1/SHA256 message digests - I need to know what SDK, emulation/simulation options are available for the chip for further development and testing I know some of the functions above are firmware related, and others are chip (hardware) related. I am *positive* there are some areas I haven't thought of yet, and would truly appreciate any and all input concerning things I need to consider before moving towards a solution. Thanks for your time _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
