2011/11/7 Hannu Kotipalo <hannu.kotip...@iki.fi>: > Hi! Hello,
> First shortly about the case; The idea is to use 3rd part issued smart > card to log in to a computer. Basicly you ('sysop') relay on that 3rd > part will identity the user reliably. Actually you are outsourcing the > Certificate management. > > I configured my system based on instructions from > https://help.ubuntu.com/community/CommonAccessCard, with some changes: > 1) Of course I use Finnish ID card 2) I use opensc instead of coolkey 3) > cert-policy should definitely be "ca,signature" and preferably also > "crl" (you can of course also manually remove login access for any > card). Checking only ca is not enought, it would be easy to make a card > that would pass (I think?). > > I assume pam_pkcs11 is mainly purposed to be used on self generated > certificates instead of ID card. So there is something to be improved > (of course, if there is will to support this kind of usage). > > Here are my comments: > 1. When using ID cards, there are usually one Root CA certificate and > one intermediate certificate. Current version on pam_pkcs11 needs both > to be present on /etc/pam_pkcs11/cacerts/ for it to work. Since the > certificate chain is also on the card used, the Root CA *should* be > enought (not a big problem thought) > 2. For some reason local crl check does not seem to work for me. > 3. There should be an option to download crl at predefined interval and > then use local crl check (of course you can write your own script..) > 4. GUI would be nice.. ;-) Feel free to provide patches. I have no time to work on pam_pkcs11, and no one else volunteered to maintain pam_pkcs11 :-( > About the cURL and https: Compiling the source (0.6.7) after > "./configure --with-curl" did not work. I had also manually define it on > uri.c: #define HAVE_CURL Now fixed in revision 507. Thanks. Bye -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel