Re: [opensc-devel] Testing
Hello Andreas, On Tue, Oct 2, 2012 at 7:53 PM, Andreas Schwier (ML) andreas.schwier...@cardcontact.de wrote: we've tested the nightly build (OpenSC-git20121002092635-win32.msi) that includes write support for the SmartCard-HSM and found no issues. We've tested with our own PKCS#11 test suite, integration with Firefox 15.0.1 and Thunderbird 15.0.1 on Windows XP SP3. Will there be a new release candidate ? Ok, I will create the tag for release candidate. Andreas -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new server hoster and adminstrator for opensc-project.org required
Hello Andreas, On Tue, Oct 2, 2012 at 11:13 PM, Andreas Jellinghaus andr...@ionisiert.dewrote: So, have you agreed on something? I read different opinions, offers, comments, but nothing that points out coming to some consent. What is your preference? Since I'm not really active, I don't want to decide this. I checked googlegroups and code.google.com, worst case I can figure out how to copy/move things there. I will look into code.google.com, but beside this, one of the solution could be to : - move the sources of the projects to github; - use my CI service for nightly builds; - install on the same platform file server for release tarbals, RPMs, MSIs, etc; - move onto the same platform wiki, trac and mailing lists. If there will not be other suggestions, and if the study of the googlegroups or similar will not bring other solution, we could start the migration. Regards, Andreas Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new server hoster and adminstrator for opensc-project.org required
On Tue, Sep 18, 2012 at 11:33 AM, Jean-Michel Pouré - GOOZE jmpo...@gooze.eu wrote: Dear all, wouldn't it be better to move the remaining parts of the project to github ? Sorry if I did not catch this message before. I volunteer to take part in this project with the community. Migrating the platform would allow to clarify the community goals and participants. As written previously: * Community We need to extend the list of core hackers, to define the community and avoid that one person blocks or takes control of the hosting environment. * Cheap hosting Host a minimal web server with OpenSC page. I suggest a cheap http://www.kimsufi.com/fr/ * GIThub Migrate to GIThub the code repositories. Code issues and pull requests are enough to manage bugs and evolutions, provided that there is a clearly defined community in charge of GIThub main projects. * Build-farm Have separate builds farms coordinated by Jenkins. This is already the case of our build farm (Viktor and I). And we proved to run the farm 24x365. We run the farm on real computers. We can also provide backup. We recently bought a 12-core supermicro computer, to add to the build farm. We have received the motherboard, casing and processors and we still need the memory (around 96 Gb). This is meant to be a virtual server replacing my various computers in the build farm. It is also nice to have build farms running behind firewalls with very limited access to Internet using vlans. I suggest that we start with the political issues first, to design an informal community. Then we can host OpenSC safely on GIThub and start the migration. Kind regards, Jean-Michel POURE -- I think github provides a good service. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new server hoster and adminstrator for opensc-project.org required
Le mardi 02 octobre 2012 à 23:13 +0200, Andreas Jellinghaus a écrit : So, have you agreed on something? I read different opinions, offers, comments, but nothing that points out coming to some consent. What is your preference? Since I'm not really active, I don't want to decide this. Please, Github is already hosting OpenSC. Although we like Google, migrating to Google would be an additional difficulty. I am proposing to host the current architecture on a dedicated host in OVH, France. OVH is the largest hosting company in Europe and has fast links. My point is that: * Wiki + ticket tracking system = OVH * GIT = Github I also register to be the webmaster. So the community can have someone in charge to talk to. I don't want to act alone and will do what the community asks me to do. Kind regards, Jean-Michel Pouré -- GOOZE - http://www.gooze.eu High quality cryptographic tools for GNU/Linux, Mac OS X and Windows including the FEITIAN PKI card POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90 Registry: FR 527 672 448 00018 - VAT: FR54527672448 ID PGP/GPG: 084F2584 smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new server hoster and adminstrator for opensc-project.org required
Beside this, one of the solution could be to : - move the sources of the projects to github; - use my CI service for nightly builds; - install on the same platform file server for release tarbals, RPMs, MSIs, etc; - move onto the same platform wiki, trac and mailing lists. Looks like the perfect solution. What hosting company are you using, I think this is OVH. What is your dedicated hosting plan? Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Testing
Le mercredi 03 octobre 2012 à 09:17 +0200, Viktor Tarasov a écrit : Ok, I will create the tag for release candidate. Please have a look at this Mac OS X package issue. I don't understand why the package build fails at final stage. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Donation of a dedicated server to the OpenSC community
Le mercredi 03 octobre 2012 à 10:13 +0200, Jean-Michel Pouré - GOOZE a écrit : What is your dedicated hosting plan? I am proposing to donate a Kimsufi 2G to the community and pay for it: http://www.kimsufi.com/fr/ It has a dedicated IP, an ATOM processor with 2G RAM and 1T disc space. Although the ATOM is quite slow, I think it could be enough to host the wiki + trac. Wiki + trac = OVH dedicated host Github = Git build farm: Viktor + Jean-Michel I am of the opinion that we should have a dedicated hosting for OpenSC main site, not in link with other hosting plans. For example, we have a 12 core computer at OVH. But I don't propose to host OpenSC there. Independent hosting means that it belongs to the community. We are not tight to a company and this is cheap hosting. Then we can be several webmasters with root access. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] W3C takes on Web+SecurityElements
http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new server hoster and adminstrator for opensc-project.org required
Hi, did anyone try the issue tracking and wiki functions on github ? Seems that it provides the same functionality as trac. Migrating the data might be a pain, but also gives the opportunity to clean things up. I would prefer a solution where everything is nicely integrated. Other than that, I agree with Viktor to use the existing CI service and move the other parts there. Andreas Am 03.10.2012 09:43, schrieb Viktor Tarasov: Hello Andreas, On Tue, Oct 2, 2012 at 11:13 PM, Andreas Jellinghaus andr...@ionisiert.de mailto:andr...@ionisiert.de wrote: So, have you agreed on something? I read different opinions, offers, comments, but nothing that points out coming to some consent. What is your preference? Since I'm not really active, I don't want to decide this. I checked googlegroups and code.google.com http://code.google.com, worst case I can figure out how to copy/move things there. I will look into code.google.com http://code.google.com, but beside this, one of the solution could be to : - move the sources of the projects to github; - use my CI service for nightly builds; - install on the same platform file server for release tarbals, RPMs, MSIs, etc; - move onto the same platform wiki, trac and mailing lists. If there will not be other suggestions, and if the study of the googlegroups or similar will not bring other solution, we could start the migration. Regards, Andreas Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org mailto:opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] W3C takes on Web+SecurityElements
So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] W3C takes on Web+SecurityElements
On 2012-10-03 12:08, Andreas Schwier (ML) wrote: So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. What do you decipher from the following? http://lists.w3.org/Archives/Public/public-sysapps/2012Jun/0058.html Anders Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] W3C takes on Web+SecurityElements
Il 03/10/2012 13:23, Anders Rundgren ha scritto: What do you decipher from the following? http://lists.w3.org/Archives/Public/public-sysapps/2012Jun/0058.html That Gemalto is interested in being an early player? :) BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] W3C takes on Web+SecurityElements
Hi Anders, fine, just another API to access smart cards, token or secure elements - this time using APDUs from within JavaScript. Why not ? I just don't see the application for it. What problem are they going to solve ? Would I trust some foreign JavaScript code in my browser to freely access my smart card ? The only real justification left for smart cards, token or secure elements is to manage cryptographic keys and to perform operations that require some kind of trusted execution environment (e.g. card based risk management in EMV, totalling VAT in a fiscal meter). Storing plain data on smart cards is a left-over from the early off-line days and is pretty much useless in an always on-line world. Given that, there are two problems to solve: a) Allow applications (on the desktop, on the web or as app) to access keys on the smart card, token and secure element. b) Manage (create, certify, import, export and delete) keys on the smart card, token and secure element. a) is pretty well solved using standards like PKCS#11, CSP Minidriver or JCE. However, controlling access to the keys needs to be carefully managed (using PIN-PAD readers or educating users to don't leave the key in the lock). b) is a little more tricky, as it requires a certain level of trust in the device where keys are to be stored. This trust level can be either based on the central model I - the CA - purchase the device and put the keys into it or the de-centralized model I trust the manufacturer or issuer of the device to create a genuine device. The central model is pretty much what PKI operators are doing today: They purchase a device and - in a trusted environment - put keys and certificates into it. The de-centralized model is little more complicated, as the issuer might be a national authority, a mobile network operator, a mobile device manufacturer, a bank or a private operation. Quite often these issuers have no interest to allow others to issue certificates for keys on the device they had to paid for - or they just don't see the benefit of the next big think. Here comes the user centric model: Let the user decide where to store the keys and allow the CA to determine how trustful that device is: Might be a software token, a hardware token or a hardware token with a trusted provisioning mechanism. If the CA knows, that the keys are stored on a genuine device and asserts that a validated identity is linked to that key, then we don't need any further identity management scheme. I pretty much like the StartSSL approach: Once you've proved your identity by submitting copies of two id documents, paying a fee and answering a phone call, they will issue certificates for things you own like domains and e-mail addresses. The next level could be keys you own, that can not be duplicated and only stolen physically. I guess the trusted provisioning mechanism is what we need to work on (and already do as far as we are concerned). Andreas Am 03.10.2012 13:23, schrieb Anders Rundgren: On 2012-10-03 12:08, Andreas Schwier (ML) wrote: So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. What do you decipher from the following? http://lists.w3.org/Archives/Public/public-sysapps/2012Jun/0058.html Anders Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de
Re: [opensc-devel] W3C takes on Web+SecurityElements
On 10/3/2012 5:08 AM, Andreas Schwier (ML) wrote: So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. The approach we are taking for SSO is Shibboleth. http://shibboleth.net/ Using the X509 login handler: https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler OpenSC provides the client cert and key for TLS authentication to the IDP. Shibboleth is all SAML based, and can work with other SAML based services. Support for OTP or whatever then is only needed in the IDP. Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Testing
I do not have MAC and cannot do the tests myself. If it's a regression, and if you have an access to MAC platform, you could try to determine the commit that introduced this problem. I do not see other way to resolve it . I propose to tag the 'rc1' and wait during certain time for more details or for somebody who is capable to resolve it . Kind regards, Viktor. On Wed, Oct 3, 2012 at 10:14 AM, Jean-Michel Pouré - GOOZE jmpo...@gooze.eu wrote: Le mercredi 03 octobre 2012 à 09:17 +0200, Viktor Tarasov a écrit : Ok, I will create the tag for release candidate. Please have a look at this Mac OS X package issue. I don't understand why the package build fails at final stage. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] W3C takes on Web+SecurityElements
On 2012-10-03 14:42, Andreas Schwier (ML) wrote: Hi Anders, Hi Andreas, fine, just another API to access smart cards, token or secure elements - this time using APDUs from within JavaScript. Why not ? I just don't see the application for it. What problem are they going to solve ? Would I trust some foreign JavaScript code in my browser to freely access my smart card ? The only real justification left for smart cards, token or secure elements is to manage cryptographic keys and to perform operations that require some kind of trusted execution environment (e.g. card based risk management in EMV, totalling VAT in a fiscal meter). Storing plain data on smart cards is a left-over from the early off-line days and is pretty much useless in an always on-line world. Given that, there are two problems to solve: a) Allow applications (on the desktop, on the web or as app) to access keys on the smart card, token and secure element. b) Manage (create, certify, import, export and delete) keys on the smart card, token and secure element. a) is pretty well solved using standards like PKCS#11, CSP Minidriver or JCE. However, controlling access to the keys needs to be carefully managed (using PIN-PAD readers or educating users to don't leave the key in the lock). We might mot agree on all this but you're IMO basically right. b) is a little more tricky, as it requires a certain level of trust in the device where keys are to be stored. This trust level can be either based on the central model I - the CA - purchase the device and put the keys into it or the de-centralized model I trust the manufacturer or issuer of the device to create a genuine device. The central model is pretty much what PKI operators are doing today: They purchase a device and - in a trusted environment - put keys and certificates into it. The de-centralized model is little more complicated, as the issuer might be a national authority, a mobile network operator, a mobile device manufacturer, a bank or a private operation. Quite often these issuers have no interest to allow others to issue certificates for keys on the device they had to paid for - or they just don't see the benefit of the next big think. Here comes the user centric model: Let the user decide where to store the keys and allow the CA to determine how trustful that device is: Might be a software token, a hardware token or a hardware token with a trusted provisioning mechanism. If the CA knows, that the keys are stored on a genuine device and asserts that a validated identity is linked to that key, then we don't need any further identity management scheme. yes, this is exactly the thinking behind SKS/KeyGen2: http://webpki.org/auth-token-4-the-cloud.html I pretty much like the StartSSL approach: Once you've proved your identity by submitting copies of two id documents, paying a fee and answering a phone call, they will issue certificates for things you own like domains and e-mail addresses. The next level could be keys you own, that can not be duplicated and only stolen physically. I guess the trusted provisioning mechanism is what we need to work on (and already do as far as we are concerned). You should consider SKS a contender in this space. However, SKS is also about creating a standardized SE, something the smart card industry has proved very unwilling to do (they sort of live on NDAs...). IMO, *a standard SE is a requirement for success*. Jean-Michel, do you hear me? :-) :-) Anders Andreas Am 03.10.2012 13:23, schrieb Anders Rundgren: On 2012-10-03 12:08, Andreas Schwier (ML) wrote: So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. What do you decipher from the following? http://lists.w3.org/Archives/Public/public-sysapps/2012Jun/0058.html Anders Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter
Re: [opensc-devel] W3C takes on Web+SecurityElements
Hmmm, so why would I want an IDP if I could prove my identity (certificate) and authenticity (client signature in SSL) with the credentials I have on my card ? Is it because SAML is easier to integrate than SSL client authentication ? Or is it because I want my IDP (e.g. Google / Facebook) to know what I'm doing ? The IDP model is perfect for username / password, but IMHO it's of less use when you use keys and certificates. In the later case the CA is your IDP by providing you with a certificate you can use to authentication towards others (who trust that certificate issuer as they would trust the IDP). And just lets wait for the first Diginotar incident at an IDP - ops they've copied our SAML signing keys...) Andreas Am 03.10.2012 15:44, schrieb Douglas E. Engert: On 10/3/2012 5:08 AM, Andreas Schwier (ML) wrote: So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. The approach we are taking for SSO is Shibboleth. http://shibboleth.net/ Using the X509 login handler: https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler OpenSC provides the client cert and key for TLS authentication to the IDP. Shibboleth is all SAML based, and can work with other SAML based services. Support for OTP or whatever then is only needed in the IDP. Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] W3C takes on Web+SecurityElements
On 2012-10-03 20:45, Andreas Schwier wrote: Hmmm, so why would I want an IDP if I could prove my identity (certificate) and authenticity (client signature in SSL) with the credentials I have on my card ? Is it because SAML is easier to integrate than SSL client authentication ? Or is it because I want my IDP (e.g. Google / Facebook) to know what I'm doing ? The IDP model is perfect for username / password, but IMHO it's of less use when you use keys and certificates. In the later case the CA is your IDP by providing you with a certificate you can use to authentication towards others (who trust that certificate issuer as they would trust the IDP). And just lets wait for the first Diginotar incident at an IDP - ops they've copied our SAML signing keys...) I think one of the reasons is that the folks that created TSL-client-certificate-authentication forgot to implement logout in a way that works for web applications. They claim that this is a feature and that I'm just to understand understand the beauty of it :-) So everybody has to write local IDPs using SAML or cookies even if they have PKI if they want to build anyhthing that looks like a real web app. Then there are of course other a very legitimate uses of IDPs where SAML attributes carry potentially completely alien information like a role which often is less suitable having in a certificate. Andes Andreas Am 03.10.2012 15:44, schrieb Douglas E. Engert: On 10/3/2012 5:08 AM, Andreas Schwier (ML) wrote: So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. The approach we are taking for SSO is Shibboleth. http://shibboleth.net/ Using the X509 login handler: https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler OpenSC provides the client cert and key for TLS authentication to the IDP. Shibboleth is all SAML based, and can work with other SAML based services. Support for OTP or whatever then is only needed in the IDP. Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] W3C takes on Web+SecurityElements
On 10/3/2012 2:04 PM, Anders Rundgren wrote: On 2012-10-03 20:45, Andreas Schwier wrote: Hmmm, so why would I want an IDP if I could prove my identity (certificate) and authenticity (client signature in SSL) with the credentials I have on my card ? The SSO aspect of the IDP... Using a smart card for every access is an annoyance especially if you have many services a user uses on a daily basis. It also allows for Federations. InCommon for example. Is it because SAML is easier to integrate than SSL client authentication ? Or is it because I want my IDP (e.g. Google / Facebook) to know what I'm doing ? The IDP in our case is an enterprise IDP only usable by employees. The IDP model is perfect for username / password, but IMHO it's of less use when you use keys and certificates. In the later case the CA is your IDP by providing you with a certificate you can use to authentication towards others (who trust that certificate issuer as they would trust the IDP). And just lets wait for the first Diginotar incident at an IDP - ops they've copied our SAML signing keys...) Yes that is a concern. I think one of the reasons is that the folks that created TSL-client-certificate-authentication forgot to implement logout in a way that works for web applications. They claim that this is a feature and that I'm just to understand understand the beauty of it :-) So everybody has to write local IDPs using SAML or cookies even if they have PKI if they want to build anyhthing that looks like a real web app. Then there are of course other a very legitimate uses of IDPs where SAML attributes carry potentially completely alien information like a role which often is less suitable having in a certificate. Yes, that too. We can map the certificate to an employee and pass employee attributes. Especially helpful if the smart cards are issued by some higher authority. Andes Andreas Am 03.10.2012 15:44, schrieb Douglas E. Engert: On 10/3/2012 5:08 AM, Andreas Schwier (ML) wrote: So why do you think the smart card industry has never managed to get their stuff web compatible ? Isn't OpenSC the best example that Yes, you can access a protected website / webapplication / webservice using a smart card and standard based technology works ? The issue really is, that the topic at hand (PKI) is way to complex for the average Doe to manage. That's always the downside: Security often means complexity and comes with a price tag. And if it is complex, hard to understand and someone offers some cheaper snake-oil, I probably go for that. Rather than exposing the complexity of the matter with a zoo of options you can choose from, we need to focus on a single generic mechanism and a well designed user experience. It's all there (meaning S/MIME and TLS), it just needs to become a little simpler to manage. So rather than re-inventing the n-solution for Web-ID, SSO or One-Time-Passwords, we - as a community - should improve what is already existing. The approach we are taking for SSO is Shibboleth. http://shibboleth.net/ Using the X509 login handler: https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler OpenSC provides the client cert and key for TLS authentication to the IDP. Shibboleth is all SAML based, and can work with other SAML based services. Support for OTP or whatever then is only needed in the IDP. Andreas Am 03.10.2012 11:09, schrieb Anders Rundgren: http://www.w3.org/2012/09/sysapps-wg-charter http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc Since the smart card industry have never managed making their stuff web compatible before, I assume they will fail this time as well. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
