Re: [Freeipa-devel] Fwd: access control in PCSC - does it apply to PKCS#11?

2014-02-28 Thread Jan Cholasta

Hi,

On 28.2.2014 10:11, Petr Spacek wrote:

Hello list,

Proposal for access control related to PC/SC smart cards follows.

I have no idea if it applies to PKCS#11 or not but I think somebody
knowledgeable in this area should look into it ...

I'm sorry Honza :-)


Don't be, this seems to be related to PKCS#15 and PC/SC daemon only, 
neither of which are we going to interact with whatsoever (correct me if 
I'm wrong).




Petr^2 Spacek

 Original Message 
Subject: F21 System Wide Change: Access control in PCSC
Date: Thu, 27 Feb 2014 16:59:14 +0100
From: Jaroslav Reznik 
Reply-To: de...@lists.fedoraproject.org
Organization: Red Hat, Inc.
To: devel-annou...@lists.fedoraproject.org

= Proposed System Wide Change: Access control in PCSC =
https://fedoraproject.org/wiki/Changes/PcscAccessControl

Change owner(s): Nikos Mavrogiannopoulos 

Add access control to PC/SC smart cards available in the system. Adding
access
control would (a) prevent unauthorized processes/users from reading data
on a
smart card, (b) prevent unauthorized processes/users from erasing a smart
card, (c) prevent unauthorized processes/users from talking to the smart
card
firmware.

== Detailed Description  ==
Add access control to PC/SC smart cards available in the system. Currently
smart cards may provide their own access control for certain elements of a
card such as a private key. Their access control method is typically a PIN,
but can also be a biometric based one. That however, is not sufficient to
prevent certain actions on the non-PIN protected elements. For example
cards
that provide a PKCS #15 filesystem can be modified by anyone that has
access in
the system (e.g., erased using pkcs15-init -E).

The default settings allowed should be similar to the default settings for
hard disks, i.e., root and the user in console should be able to access the
smart card.

Adding access control would
* prevent unauthorized processes/users from reading data on a smart card
* prevent unauthorized processes/users from erasing a smart card
* prevent unauthorized processes/users from talking to the smart card
firmware

The way access control will be implemented is using polkit which is already
being used to control access to hard disks. As smart cards share a lot with
hard disks (e.g., a filesystem, and are inserted by the console user),
sharing
the same access control method is beneficial.

== Scope ==
polkit support has to be added to PC/SC daemon. An initial version has
already
been developed and communicated upstream

* Proposal owners: The polkit support has to be merged with the Fedora
package. That requires changes to the pcsc daemon only, but indirectly all
packages that potentially may use smart cards are affected (opensc,
firefox,
...).

* Other developers: Packages that use PC/SC smart cards must be checked
that
they work as expected after the access control change.

* Release engineering:  No coordination is required.

* Policies and guidelines: If there is any security policy documentation
should be updated to include the new policies on smart cards (I couldn't
find
any such documentation though)



--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


[Freeipa-devel] Fwd: access control in PCSC - does it apply to PKCS#11?

2014-02-28 Thread Petr Spacek

Hello list,

Proposal for access control related to PC/SC smart cards follows.

I have no idea if it applies to PKCS#11 or not but I think somebody 
knowledgeable in this area should look into it ...


I'm sorry Honza :-)

Petr^2 Spacek

 Original Message 
Subject: F21 System Wide Change: Access control in PCSC
Date: Thu, 27 Feb 2014 16:59:14 +0100
From: Jaroslav Reznik 
Reply-To: de...@lists.fedoraproject.org
Organization: Red Hat, Inc.
To: devel-annou...@lists.fedoraproject.org

= Proposed System Wide Change: Access control in PCSC =
https://fedoraproject.org/wiki/Changes/PcscAccessControl

Change owner(s): Nikos Mavrogiannopoulos 

Add access control to PC/SC smart cards available in the system. Adding access
control would (a) prevent unauthorized processes/users from reading data on a
smart card, (b) prevent unauthorized processes/users from erasing a smart
card, (c) prevent unauthorized processes/users from talking to the smart card
firmware.

== Detailed Description  ==
Add access control to PC/SC smart cards available in the system. Currently
smart cards may provide their own access control for certain elements of a
card such as a private key. Their access control method is typically a PIN,
but can also be a biometric based one. That however, is not sufficient to
prevent certain actions on the non-PIN protected elements. For example cards
that provide a PKCS #15 filesystem can be modified by anyone that has access in
the system (e.g., erased using pkcs15-init -E).

The default settings allowed should be similar to the default settings for
hard disks, i.e., root and the user in console should be able to access the
smart card.

Adding access control would
* prevent unauthorized processes/users from reading data on a smart card
* prevent unauthorized processes/users from erasing a smart card
* prevent unauthorized processes/users from talking to the smart card firmware

The way access control will be implemented is using polkit which is already
being used to control access to hard disks. As smart cards share a lot with
hard disks (e.g., a filesystem, and are inserted by the console user), sharing
the same access control method is beneficial.

== Scope ==
polkit support has to be added to PC/SC daemon. An initial version has already
been developed and communicated upstream

* Proposal owners: The polkit support has to be merged with the Fedora
package. That requires changes to the pcsc daemon only, but indirectly all
packages that potentially may use smart cards are affected (opensc, firefox,
...).

* Other developers: Packages that use PC/SC smart cards must be checked that
they work as expected after the access control change.

* Release engineering:  No coordination is required.

* Policies and guidelines: If there is any security policy documentation
should be updated to include the new policies on smart cards (I couldn't find
any such documentation though)

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel