2011/11/7 Hannu Kotipalo <hannu.kotip...@iki.fi>:
> Hi!
Hello,
> First shortly about the case; The idea is to use 3rd part issued smart
> card to log in to a computer. Basicly you ('sysop') relay on that 3rd
> part will identity the user reliably. Actually you are outsourcing the
> Certificate management.
>
> I configured my system based on instructions from
> https://help.ubuntu.com/community/CommonAccessCard, with some changes:
> 1) Of course I use Finnish ID card 2) I use opensc instead of coolkey 3)
> cert-policy should definitely be "ca,signature" and preferably also
> "crl" (you can of course also manually remove login access for any
> card). Checking only ca is not enought, it would be easy to make a card
> that would pass (I think?).
>
> I assume pam_pkcs11 is mainly purposed to be used on self generated
> certificates instead of ID card. So there is something to be improved
> (of course, if there is will to support this kind of usage).
>
> Here are my comments:
> 1. When using ID cards, there are usually one Root CA certificate and
> one intermediate certificate. Current version on pam_pkcs11 needs both
> to be present on /etc/pam_pkcs11/cacerts/ for it to work. Since the
> certificate chain is also on the card used, the Root CA *should* be
> enought (not a big problem thought)
> 2. For some reason local crl check does not seem to work for me.
> 3. There should be an option to download crl at predefined interval and
> then use local crl check (of course you can write your own script..)
> 4. GUI would be nice.. ;-)
Feel free to provide patches.
I have no time to work on pam_pkcs11, and no one else volunteered to
maintain pam_pkcs11 :-(
> About the cURL and https: Compiling the source (0.6.7) after
> "./configure --with-curl" did not work. I had also manually define it on
> uri.c: #define HAVE_CURL
Now fixed in revision 507. Thanks.
Bye
--
Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
