David Corcoran wrote:
>
> Hi,
>
> Sorry for the confusion, when I said RPC like service I meant a service
> that uses GSS-API or something tunnelled under ssh. Keep in mind this is
> a separate service that acts as an application to PC/SC - I would never
> make this part of PC/SC and it would never be Sun RPC.
>
> I do need some sort of authentication service which uses GSS-API or
> something so that in an environment such as the SunRay or Citrix I can
> call back to the local smartcard reader since the authentication device
> does not reside on the machine wishing to authenticate. Also, this is
> needed for remote authentication services such as ftp/telnet.
>
Well it depends on how you do it. If you allow a remote application
unrestricted access to a smart card reader, even if the traffic is
encrypted it can have bad consequences.
For example it could send a request to the card to sign additional data
(e.g. to access another host) or to decrypt data (e.g. S/MIME email
secured with the same key).
If the protocol is designed properly, such problems can readily be
avoided.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************
