Re: [opensc-devel] opensc.conf.in changed forPIV and consistency question about max_send_size and max_recv_size
On 07.03.2007, at 23:28, Andreas Jellinghaus wrote: is that ok for everyone? does the code work correct, if there is no setting in the config file? Estonian eID works with no opensc.conf file present. ([3101] [3099]) -- Martin Paljak ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new pre release for 0.11.2 available
On 08.03.2007, at 9:06, Andreas Jellinghaus wrote: new users on windows trying to compile it themself. New *users* on windows should be directed cleanly and clearly to pre- compiled solutions. the scb procedure works, maybe even quite good. but somehow some people manage to work with the raw source or prefer it that way (or don't know about scb). New *developers* need also documentation and usually can either pick up from SCB or learn how to fulfill the requirement of 'zlib is required'. m. -- Martin Paljak ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new pre release for 0.11.2 available
On 06.03.2007, at 0:05, Andreas Jellinghaus wrote: It would be good to have opensc 0.11.2 soon, so I made another pre-release with current trunk available: It would be really good - especially becuase due to lack of time a year ago 0.11.1 has a regression that renders 0.11.1 linux packages unusable for Estonian eID ( changeset [3010] fixes that again) Please test this and give feedback. All is nice but I'd like to have a small enhancement in 0.11.2 that has been available for .ee users for some time already. Please see #132. IMHO that ticket should not affect current situation and opensc users but improves some user experience scenarios a lot. m. -- Martin Paljak ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] lsm pkcs#11 ?
The project is actually implementing a software security module (rather than a hardware security module / HSM) that uses a client/server approach with a PKCS#11 library on the client side. You run the deamon on one machine and use the PKCS#11 library on the client to access the cryptographic token. Cryptographic material is stored in a file on the server which is protected by some crypto-scheme. In a simplistic scenario that does not require any FIPS or ITSEC evaluated key store, you could put the server into a vault and have a cheap and minimalistic HSM (no tamper resistance however). The project can replace a HSM with a software implementation, but it does not allow to use PKCS#11 modules on the server (which is guess is what Andreas is looking for). Kind regards, Andreas Alon Bar-Lev schrieb: Hello Andreas, Why a daemon is required? Can't the card transaction be used to sync between instances? And if caching is required you can cache certificates by thumbprint at user home... Best Regards, Alon Bar-Lev. On 3/6/07, Andreas Jellinghaus [EMAIL PROTECTED] wrote: http://www.clizio.com/lsmpkcs11.html did anyone have a look at this software and try it? if it does what I think and if we could attach opensc to the daemon side of it, then we might be able to to real locking etc, and still have multi applications access a card - if the daemon caches the certs etc. not sure if that idea works out, but might be worth a look. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 171 8334920 -http://www.cardcontact.de ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] lsm pkcs#11 ?
Thanks! There is always egg and chiken conflict with this kind of approach... In order to communicate with remote daemon using TCP/IP you need to authenticate... But you cannot authenticate since you cannot access the token... This problem is common for most HSM modules as well... Not all allow to use local smartcard in order to open a session to remote HSM. I was more concerned regarding the statement that locking and multi-application cannot be implemented without a daemon component. It sounds a bit strange as I know several providers which implement this. Best Regards, Alon Bar-Lev. On 3/10/07, Andreas Schwier [EMAIL PROTECTED] wrote: The project is actually implementing a software security module (rather than a hardware security module / HSM) that uses a client/server approach with a PKCS#11 library on the client side. You run the deamon on one machine and use the PKCS#11 library on the client to access the cryptographic token. Cryptographic material is stored in a file on the server which is protected by some crypto-scheme. In a simplistic scenario that does not require any FIPS or ITSEC evaluated key store, you could put the server into a vault and have a cheap and minimalistic HSM (no tamper resistance however). The project can replace a HSM with a software implementation, but it does not allow to use PKCS#11 modules on the server (which is guess is what Andreas is looking for). Kind regards, Andreas Alon Bar-Lev schrieb: Hello Andreas, Why a daemon is required? Can't the card transaction be used to sync between instances? And if caching is required you can cache certificates by thumbprint at user home... Best Regards, Alon Bar-Lev. On 3/6/07, Andreas Jellinghaus [EMAIL PROTECTED] wrote: http://www.clizio.com/lsmpkcs11.html did anyone have a look at this software and try it? if it does what I think and if we could attach opensc to the daemon side of it, then we might be able to to real locking etc, and still have multi applications access a card - if the daemon caches the certs etc. not sure if that idea works out, but might be worth a look. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 171 8334920 -http://www.cardcontact.de ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel