Re: [opensc-devel] state of the project?
Hello, 2012/11/18 Andreas Schwier andreas.schw...@cardcontact.de: My point is, that I offer to do the integration on opensc-java (as I already had commit rights to the old repository). I just created a OpenSC-Java maintainers team. Give me your github login and I add you to the team. You will then be able to push changes. Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Hello, 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 11:54 PM, Ludovic Rousseau I don't think I can give you admin access to only these 2 projects. I can add you as a member of the OpenSC organisation and you would have access to all the repositories. Yes you can, there are teams, each team can have admin/write/read access to specific repositories. I created a OpenCT maintainers team [1]. Alon Bar-Lev is the only member of the team but I can add others. Alon, you should be able to push changes directly in OpenSC / openct If you need something else just ask the OpenSC owners (Martin, Viktor and myself for now). Bye [1] https://github.com/organizations/OpenSC/teams -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] New SE (Security Element) Company Formed
On Thu, Nov 15, 2012 at 7:12 PM, Anders Rundgren anders.rundg...@telia.com wrote: Another hurdle is that the GP security model is incompatible with the Internet: GP presumes mutual authentication AFAIK. This is how the Google Wallet currently works (Google holds the master keys to the SE) but that's not really cutting it. I don't believe that the industry players would want to give up their current position easily. Appstores (authority over what can be installed without hurdles), keys to the empire (GP-style approach) or monetary gatekeepers (who can charge a certain % for what is happening in their gardens) make money. Telcos would prefer to kill data based instant messaging providers without hesitation, if they could - SMS makes golden eggs... Interenet as an ideal is one thing, business as usual must still live on, unfortunately. Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Hello On Wed, Nov 14, 2012 at 7:37 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: But Martin is now missing. :) I've not fallen off the edge of the earth, but I've been only digesting e-mails that have been addressed to me directly and thus ended up in main inbox (which not many have, at least according to gmail filtering) Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
It's probably a good occasion to clean-up the list. We should define a date at which we switch to the new list and send a final termination notice with pointers to the new list. After that notice we should reject any further e-mails to the list and keep the archive around a little longer. Andreas Am 21.11.2012 17:59, schrieb Ludovic Rousseau: 2012/11/18 Ludovic Rousseau ludovic.rouss...@gmail.com: 2012/11/18 Viktor Tarasov viktor.tara...@gmail.com: mailing list will go (without archive ?) to SourceForge, or, in case of the last minute obstacles, to groups.google.com. The numbers of members to the 3 lists hosted at opensc-project.org are: 546 opensc-devel_members.txt 129 opensc-announce_members.txt 39 opensc-commits_members.txt I created 3 mailing lists at SourceForge OpenSC project https://sourceforge.net/p/opensc/mailman/ It looks like it is possible to mass subscribe to a mailman list [1]. But I could not find how using the SourceForge list interface. I found how to mass subscribe to the new mailing lists I created. Maybe the only (and good) solution is to ask people to subscribe at SourceForge. What do you think is best: - mass subscription without asking for permission? - ask people to subscribe to the new lists? Maybe some people are on the list but no more interested by OpenSC. Maybe they just redirect the emails into the spam/trash folder. What do you think? Thanks -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Hello, On Wed, Nov 21, 2012 at 6:59 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Maybe some people are on the list but no more interested by OpenSC. Maybe they just redirect the emails into the spam/trash folder. There's a fairly constant flow of people to and off the list according to subscription notices, so I believe the folder people either track it passively or actually do know when then unsubscribe or re-subscribe. Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Sat, Nov 17, 2012 at 11:57 PM, Peter Stuge pe...@stuge.se wrote: Ludovic Rousseau wrote: The idea of git is to _not_ have to give access. Just send pull requests and I (or another admin) will pull your code. No, the purpose of git must not be limiting access :) Yes and no. Multiple people writing to a central repo works perfectly fine also with git. Yes. The Original Goal(tm) was that instead of bureaucratic rubber-stamping commits and dividing the whoever extra pair of eyes and brains and access would actually look, read, digest *and if necessary, reject* a pull request and mentor it with reasonable comments. Be it coherent design, sloppy naming and whitespace, comments in chinese or something else. Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Wed, Nov 21, 2012 at 7:25 PM, Martin Paljak mar...@martinpaljak.net wrote: Yes and no. Multiple people writing to a central repo works perfectly fine also with git. Yes. The Original Goal(tm) was that instead of bureaucratic rubber-stamping commits and dividing the whoever extra pair of eyes and brains and access would actually look, read, digest *and if necessary, reject* a pull request and mentor it with reasonable comments. Be it coherent design, sloppy naming and whitespace, comments in chinese or something else. And the fact that feedback before merging is better than when somebody goes on to janitoring some code (OK for generic cleanup but usually causes psychological stress if it includes something more) Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Bonjour, On Wed, Nov 14, 2012 at 7:37 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Andreas, the host available at opensc-project.org will disapear at the end of the year 2012 [2]. There will be a semi-managed (meaning managed backup and other monitoring) Debian box available for the foreseeable future. I'll shift the current authorized_keys file over and send a private e-mail with details to the ones in the ssh list. Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] New SE (Security Element) Company Formed
2012/11/21 Martin Paljak mar...@martinpaljak.net: On Thu, Nov 15, 2012 at 7:12 PM, Anders Rundgren anders.rundg...@telia.com wrote: Another hurdle is that the GP security model is incompatible with the Internet: GP presumes mutual authentication AFAIK. This is how the Google Wallet currently works (Google holds the master keys to the SE) but that's not really cutting it. I don't believe that the industry players would want to give up their current position easily. Appstores (authority over what can be installed without hurdles), keys to the empire (GP-style approach) or monetary gatekeepers (who can charge a certain % for what is happening in their gardens) make money. Telcos would prefer to kill data based instant messaging providers without hesitation, if they could - SMS makes golden eggs... are you sure that is still the case? SMS flat is down to 5€/month over here. and I use google talk all the time instead of SMS, unless it is someone who doesn't have an android phone. Interenet as an ideal is one thing, business as usual must still live on, unfortunately. thats a bit harsh I think - its not like the mobile carriers e.g. aren't trying to sell payment systems on top of their infrastructure or similar, but at the end it doesn't gain wide acceptance it seems. maybe too expensive? also for them change is very expensive - their equipment is certified and expensive, and any additional feature might require an upgrade to new equipment with expensive addons in the software/hardware. plus they have a huge amount of equipment so any change affects a lot of parts. no wonder the mobile carriers think change is expensive. still they change when necessary, e.g. to adapt to new speeds/tech like LTE, but in that case they know that everyone left behind will likely die soon, and that the quality level on their network will only get worse with the explosion of mobile data usage. I cannot comment on many things discussed here, but as someone living in an SSO world, where I have one place to authenticate, and every app I use gets the authentication from that central place via OAuth: that is real nice. Thus my personal goal would be no longer to be able to get many credentials from many places, but only to handle one credentials with one service on the other side, and handle that very, very well. every other place can use OAuth with that central place. (remember how I opposed using openid in the past? seeing how nice it is to have such infrastructure changed my view on that) Regards, Andreas Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] New SE (Security Element) Company Formed
On Wed, Nov 21, 2012 at 8:55 PM, Andreas Jellinghaus andr...@ionisiert.de wrote: 2012/11/21 Martin Paljak mar...@martinpaljak.net: On Thu, Nov 15, 2012 at 7:12 PM, Anders Rundgren anders.rundg...@telia.com wrote: Another hurdle is that the GP security model is incompatible with the Internet: GP presumes mutual authentication AFAIK. This is how the Google Wallet currently works (Google holds the master keys to the SE) but that's not really cutting it. I don't believe that the industry players would want to give up their current position easily. Appstores (authority over what can be installed without hurdles), keys to the empire (GP-style approach) or monetary gatekeepers (who can charge a certain % for what is happening in their gardens) make money. Telcos would prefer to kill data based instant messaging providers without hesitation, if they could - SMS makes golden eggs... are you sure that is still the case? SMS flat is down to 5€/month over here. and I use google talk all the time instead of SMS, unless it is someone who doesn't have an android phone. Even public sources estimate a nice business And text messaging is still a big business, accounting for an estimated $21 billion in U.S. revenue for telecom companies last year and an estimated $23 billion this year, according to the Consumer Federation of America. Source: http://articles.latimes.com/2011/aug/21/business/la-fi-texting-20110822 The ROI on SMS is not comparable to the investments and increasing traffic for data services (where messaging is accounts only for a 1% of traffic, I believe) Interenet as an ideal is one thing, business as usual must still live on, unfortunately. thats a bit harsh I think - its not like the mobile carriers e.g. aren't trying to sell payment systems on top of their infrastructure or similar, but at the end it doesn't gain wide acceptance it seems. maybe too expensive? Sure, as long as they can get a % of the business happening in their walled garden. Then again, financial services and payments are important parts of the overall who controls the money routes, controls the business play, so I don't expect any of the carriers or handset platform providers to open up a loophole that would allow for some 3rd party to easily take their market, without paying. There's just no commercial interest. So yes, harsh, but I believe realistic. I cannot comment on many things discussed here, but as someone living in an SSO world, where I have one place to authenticate, and every app I use gets the authentication from that central place via OAuth: that is real nice. Thus my personal goal would be no longer to be able to get many credentials from many places, but only to handle one credentials with one service on the other side, and handle that very, very well. every other place can use OAuth with that central place. (remember how I opposed using openid in the past? seeing how nice it is to have such infrastructure changed my view on that) Sure. But that should be an *option* rather than requirement. Eventually you still would want to separate your bank account from your google account, for example. Maybe in 10 years this sounds like a stupid idea for the younger generation, but this moment in time I still would prefer the option to choose my credentials and identities (but would love to re-use them as *I* want, not how some vendor wants it (what makes OpenID better than peered implementations like saml or facebook connect or..) Sorry to hear about the OpenID thing though ;) Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] New SE (Security Element) Company Formed
2012/11/21 Martin Paljak mar...@martinpaljak.net: On Wed, Nov 21, 2012 at 8:55 PM, Andreas Jellinghaus andr...@ionisiert.de wrote: 2012/11/21 Martin Paljak mar...@martinpaljak.net: On Thu, Nov 15, 2012 at 7:12 PM, Anders Rundgren anders.rundg...@telia.com wrote: Another hurdle is that the GP security model is incompatible with the Internet: GP presumes mutual authentication AFAIK. This is how the Google Wallet currently works (Google holds the master keys to the SE) but that's not really cutting it. I don't believe that the industry players would want to give up their current position easily. Appstores (authority over what can be installed without hurdles), keys to the empire (GP-style approach) or monetary gatekeepers (who can charge a certain % for what is happening in their gardens) make money. Telcos would prefer to kill data based instant messaging providers without hesitation, if they could - SMS makes golden eggs... are you sure that is still the case? SMS flat is down to 5€/month over here. and I use google talk all the time instead of SMS, unless it is someone who doesn't have an android phone. Even public sources estimate a nice business And text messaging is still a big business, accounting for an estimated $21 billion in U.S. revenue for telecom companies last year and an estimated $23 billion this year, according to the Consumer Federation of America. Source: http://articles.latimes.com/2011/aug/21/business/la-fi-texting-20110822 http://ovum.com/press_releases/ovum-estimates-that-operators-lost-13-9bn-in-2011-due-to-social-messaging/ other source wine about lost revenue due to people using facebook chat and friends instead of sms. (no statement relating to increased revenue for the data tarif so people can use facebook of course...) The ROI on SMS is not comparable to the investments and increasing traffic for data services (where messaging is accounts only for a 1% of traffic, I believe) yes, the stories about price per bit for a sms are quite old. but if 2011 already 9% of chat moved from sms to facebookfriends, that is a strong development and guess that trend increases. Interenet as an ideal is one thing, business as usual must still live on, unfortunately. thats a bit harsh I think - its not like the mobile carriers e.g. aren't trying to sell payment systems on top of their infrastructure or similar, but at the end it doesn't gain wide acceptance it seems. maybe too expensive? Sure, as long as they can get a % of the business happening in their walled garden. Then again, financial services and payments are important parts of the overall who controls the money routes, controls the business play, so I don't expect any of the carriers or handset platform providers to open up a loophole that would allow for some 3rd party to easily take their market, without paying. There's just no commercial interest. So yes, harsh, but I believe realistic. I cannot comment on many things discussed here, but as someone living in an SSO world, where I have one place to authenticate, and every app I use gets the authentication from that central place via OAuth: that is real nice. Thus my personal goal would be no longer to be able to get many credentials from many places, but only to handle one credentials with one service on the other side, and handle that very, very well. every other place can use OAuth with that central place. (remember how I opposed using openid in the past? seeing how nice it is to have such infrastructure changed my view on that) Sure. But that should be an *option* rather than requirement. Eventually you still would want to separate your bank account from your google account, for example. Sure, I want several different authentication options, one for work, one for home, but causal things, and one for very important things like banking. but if I have accounts at several banks, all could use a shared very-secure authentication mechanism, I wouldn't mind. the problem is each bank wants to have their own mechanism I guess. how is the experience with the eID in estonia? I thought that was the one case where people used one central eID card for many things, like authenticating to banks for online banking - and it is not tied to one bank only? Maybe in 10 years this sounds like a stupid idea for the younger generation, but this moment in time I still would prefer the option to choose my credentials and identities (but would love to re-use them as *I* want, not how some vendor wants it (what makes OpenID better than peered implementations like saml or facebook connect or..) I love the idea of having more control. if there is a secure clearing provider for authentication, I might prefer to have him in the loop, rather than the bank. some of them don't seem to do a good job with basic things like a useable web page, or asking me for strangely limited passwords, etc. I'm not advocating the one for
Re: [opensc-devel] state of the project?
On Wed, Nov 21, 2012 at 4:52 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Hello, 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 11:54 PM, Ludovic Rousseau I don't think I can give you admin access to only these 2 projects. I can add you as a member of the OpenSC organisation and you would have access to all the repositories. Yes you can, there are teams, each team can have admin/write/read access to specific repositories. I created a OpenCT maintainers team [1]. Alon Bar-Lev is the only member of the team but I can add others. Alon, you should be able to push changes directly in OpenSC / openct If you need something else just ask the OpenSC owners (Martin, Viktor and myself for now). Bye [1] https://github.com/organizations/OpenSC/teams -- Dr. Ludovic Rousseau Please do the same for pkcs11-helper, thanks! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
