[opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On 2012-08-17 22:32, Jean-Michel Pouré - GOOZE wrote: It also means that the card middleware will be a part of the OS. This will boost the smartcard technology to a wider public, which are good news. It is essential to have the smartcard or token in the hand / in the pocket. You computer cannot stand in your pocket. Only your mobile phone. The original idea was indeed that you carried your token in your pocket. This idea is challenged by the fact that we have so many and independent logins. Since each login typically translates to a token (using current smart card technology), you would eventually need very big pockets. Virtual smart cards have unlimited capacity and doesn't occupy space in your pocket either. Does this for example make eIDs or company smart cards useless? Not all! You use your token as a secure bootstrap for getting a cloned credential onto a device, be it a phone or laptop. This concept is by no means new or unique. The Swedish BankID CA have already issued more than 10M certificates in this fashion to consumers where the consumer typically uses an already deployed OTP token as bootstrap. The only problem is that BankID and friends have to write their own client software since the to 99% US-dominated platforms do not support consumer-PKI. Since traditional smart cards do not support on-line provisioning to end- users, virtual smart cards appear to be the only workable solution. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC Bugs and releases
Dear Viktor, we're doing quite a lot of testing currently. So when you have a release candidate, just let me know. Andreas Am 18.08.2012 18:45, schrieb Viktor Tarasov: Hello Douglas. Le 16/08/2012 20:01, Douglas E. Engert a écrit : Viktor, Thanks for going through all OpenSC bug reports the last few days. Its been a long time since that has been done. Do you have a time estimate when you will be done, and when we can have a 0.13.0 release candidate? Vaguely it could be the weekend -- one more week to look over the current tickets and for the tests. I have no experience in the release preparation and do not clearly imagine the criterion that can be used to declare the release candidate ready. Would be nice to hear your point of view on this and other release related questions. Thanks. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 171 8334920 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Il 19/08/2012 10:14, Anders Rundgren ha scritto: Virtual smart cards have unlimited capacity and doesn't occupy space in your pocket either. Then an USB token paired with some form of unsecure storage and have RSA capabilities and a button or a small keypad (display w/ touchscreen?) to enter consent/authorization code in a way that can't be intercepted/forged by software would be even better. The unsecure storage could be easily encrypted under a private key that then gets encrypted under any number of token public keys, so no single point of failure exists and that storage can easily be shared/copied to any number of tokens. (IIRC, something along this line should/could be in next OpenPGP token). This way you would have benefits of both virtual (practically unlimited number of certs/keys: if you use a 32G uSD as storage you'd have to spend your life receiving certs before filling it...) and real smart cards (bring it wherever you like, having full control). If such a token would be issued by govs (so coming with a universally trusted cert to certify that extra keys are generated by the token), it would be the really universal card. I don't like those vendor lock-ins. Maybe I saw too many burnt mobos, or just 'cause I prefer AMDs :), or simply it seems another way to introduce crippled boot feature and have users be happy with that (a virtual smart card, implemented in SW, requires some form of certified boot, so it only works with a certified OS), or reintroduce the dear old TPM (that have been cracked[1], BTW)... On the other hand, a token/card is platform-agnostic... [1] http://www.computerworld.com/s/article/9151158/Black_Hat_Researcher_claims_hack_of_chip_used_to_secure_computers_smartcards BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Il 19/08/2012 15:50, Anders Rundgren ha scritto: Everything you write is fine and probably correct as well. The only fly in the soup is that *it is not happening*. I think it will be just like the TPM: when enough people will realize what it is, it won't get accepted by the public. It's not long since restricted boot 'failed' and memory isn't so short. The smart card community has failed creating a cheap a readily available token that can be provisioned on-line while for example iPhone and Android already ships with built-in enrollment software. It's still WIP: look at OpenKMS... However, there will always be a small market that prefers something special. That's for sure :) I'm rather talking about the 99.999% that believes cost and availability matter. I also think that the poor GUI support offered by smart cards will make these look quite dated compared to virtual smart cards having cool logotypes and stuff. SCs *are really* dated as concept. Old, messy interface, conflicting high-level standards (so many that everybody uses his own)... That's why a token or even a small calculator format w/ USB connectivity (and a standardized 'KISS' interface over the USB bus) would be better. Such a device could easily cost less than $100 (you can already find Android tablets w/ 7 display and cap ts at about $65, with wifi or even GSM connectivity! -- probably the only really needed piece of software needed could be a driver to use the SIM reader as a CAD, plus some glue). BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
On 2012-08-19 18:55, NdK wrote: Il 19/08/2012 15:50, Anders Rundgren ha scritto: Everything you write is fine and probably correct as well. The only fly in the soup is that *it is not happening*. I think it will be just like the TPM: when enough people will realize what it is, it won't get accepted by the public. It's not long since restricted boot 'failed' and memory isn't so short. The smart card community has failed creating a cheap a readily available token that can be provisioned on-line while for example iPhone and Android already ships with built-in enrollment software. It's still WIP: look at OpenKMS... However, there will always be a small market that prefers something special. That's for sure :) I'm rather talking about the 99.999% that believes cost and availability matter. I also think that the poor GUI support offered by smart cards will make these look quite dated compared to virtual smart cards having cool logotypes and stuff. SCs *are really* dated as concept. Old, messy interface, conflicting high-level standards (so many that everybody uses his own)... That's why a token or even a small calculator format w/ USB connectivity (and a standardized 'KISS' interface over the USB bus) would be better. Such a device could easily cost less than $100 (you can already find Android tablets w/ 7 display and cap ts at about $65, with wifi or even GSM connectivity! -- probably the only really needed piece of software needed could be a driver to use the SIM reader as a CAD, plus some glue). Who would buy a $100 solution if they can get one for free? I don't think even the SIM will survive. Anders BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel