[opensc-devel] The biggest threat to Smart Cards - APPLE
With yet another record-quarter and having one of the most popular devices ever made, Apple is in a unique position of enhancing iPhone to also work as a stack of smart cards. It is technically by no means very difficult either. One may argue that it will take a few years to do that but that should be compared with the EXTREMELY SLOW development going on in the smart card community. For example there is no [reasonable] way you can provision a card using a standard browser since the card industry doesn’t do browsers. Apple do browsers... ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] The biggest threat to Smart Cards - APPLE
Hello, On Wed, Jul 20, 2011 at 10:03, Anders Rundgren wrote: > With yet another record-quarter and having one of the most popular devices > ever made, Apple is in a unique position of enhancing iPhone to also work as > a stack of smart cards. It is technically by no > means very difficult either. From practical point of view: I've heard that 10.7 breaks (again) Safari support for smart cards (at least with OpenSC.tokend). Yet "other browsers" like Chrome work. The rumor also tells that CDSA (the "crypto platform" behind OS X) has been deprecated and replaced by something new. Will see when their new platform comes out, I don't think it is reasonable to fight with windmills with a company that is known to do whatever they want. > One may argue that it will take a few years to do that but that should be > compared with the EXTREMELY SLOW development going on in the smart card > community. For example there is no [reasonable] way > you can provision a card using a standard browser since the card industry > doesn’t do browsers. Apple do browsers... Traditional smart cars IMHO are not supposed to be self-subscribed. But the failed trusted computing (maybe not failed, but "the next big thing in IT security that has taken years to come") might probably be re-born as "identity tokens" in mobile devices (identity which is disconnected from the other greedy beast, the telecom operator). Given that almost all consumer devices have been rooted to date, I doubt the "trusted computing" theme will succeed in mobiles either. Maybe it even shouldn't. If we omit the whining, what could we do? Cheers, Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] The biggest threat to Smart Cards - APPLE
On 2011-07-20 09:30, Martin Paljak wrote: > Hello, > >> One may argue that it will take a few years to do that but that >> should be compared with the EXTREMELY SLOW development going on >> in the smart card community. For example there is no [reasonable] way >> you can provision a card using a standard browser since the card >> industry doesn’t do browsers. Apple do browsers... > > > Traditional smart cars IMHO are not supposed to be self-subscribed. Well, a more correct description is that they seem to be "supposed" to be provisioned using proprietary (or unusual) solutions. iPhone's already deployed Profile+SCEP shows that this "problem" is unique to smart cards. > But the failed trusted computing (maybe not failed, but "the next big > thing in IT security that has taken years to come") might probably be > re-born as "identity tokens" in mobile devices (identity which is > disconnected from the other greedy beast, the telecom operator). Given > that almost all consumer devices have been rooted to date, I doubt the > "trusted computing" theme will succeed in mobiles either. Maybe it > even shouldn't. I'm moderately worried about the absence of trusted computing, it is rather a journey. Rooting of iPhones is AFAIK mainly the result of Apple's lock-in policy. > If we omit the whining, what could we do? Unfortunately the smart card industry are fully occupied fighting their "comrades" so we can only relax and see the ship slowly sinking. It is even somewhat amusing... I wouldn't even be surprised if one of these giants creates a payment network that directly competes with VISA. VISA doesn't do phones :-) Yes, I'm still (slooowly) working on the open card and provisioning solution. So far it seems like the only challenger to coming Apple and Google monopolies. Cheers, Anders > > Cheers, > Martin > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch: remove slots of detached reader(token)
2011/7/19 Viktor Tarasov : > Le 18/07/2011 14:52, Ludovic Rousseau a écrit : >> >> 2011/7/10 Viktor Tarasov: >>> >>> Hi, >> >> Hello, >> >>> there is patch proposal to treat properly the 'detach token(reader)' >>> event >>> and to remove the slots associated to the removed token. >>> >>> Tested in Linux and windows. >>> 'SCardGetStatusChange' have different behavior in Linux and Windows. >>> Needs to be studied and validated for Mac. >>> >>> >>> https://github.com/viktorTarasov/OpenSC/commit/62bda63bd66c4849c0ca4303a9682fb6f6bacd7d >> >> /* When token is hot-unplugged: >> * - in Linux (pcsc-lite) >> * -- SCardGetStatusChange returns OK; >> * -- current reader state is 'UNKNOWN'; >> * -- 'Refresh-attributes' returns 'SC_ERROR_READER_DETACHED'. >> * >> * - in Windows (WinSCard): >> * -- SCardGetStatusChange failes with SCARD_E_NO_READERS_AVAILABLE; >> * -- 'Refresh-attributes' returns 'SC_ERROR_NO_READERS_FOUND'. >> * >> * - FIXME: Mac? >> */ >> >> I just checked on Mac OS X 10.6.8 (Snow Leopard) and I have nearly the >> same result as on GNU/Linux. >> On GNU/Linux : new state is 14 => ['Changed', 'Unknown', 'Unavailable'] >> On Mac OS X : new state is 6 => ['Changed', 'Unknown] >> >> On Windows, do you also get the error SCARD_E_NO_READERS_AVAILABLE >> when you use TWO readers in the SCardGetStatusChange() call? > > I do not completely follow. > > SCardGetStatusChange is called by refresh_attributes(sc_reader_t *reader). > In this context there is only one reader. The question was about SCardGetStatusChange() on Windows in general not just its use by OpenSC. I will do the test myself. Thanks -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch: remove slots of detached reader(token)
Le 20/07/2011 19:04, Ludovic Rousseau a écrit : > 2011/7/19 Viktor Tarasov: >> Le 18/07/2011 14:52, Ludovic Rousseau a écrit : >>> 2011/7/10 Viktor Tarasov: Hi, >>> Hello, >>> there is patch proposal to treat properly the 'detach token(reader)' event and to remove the slots associated to the removed token. Tested in Linux and windows. 'SCardGetStatusChange' have different behavior in Linux and Windows. Needs to be studied and validated for Mac. https://github.com/viktorTarasov/OpenSC/commit/62bda63bd66c4849c0ca4303a9682fb6f6bacd7d >>> /* When token is hot-unplugged: >>>* - in Linux (pcsc-lite) >>>* -- SCardGetStatusChange returns OK; >>>* -- current reader state is 'UNKNOWN'; >>>* -- 'Refresh-attributes' returns 'SC_ERROR_READER_DETACHED'. >>>* >>>* - in Windows (WinSCard): >>>* -- SCardGetStatusChange failes with SCARD_E_NO_READERS_AVAILABLE; >>>* -- 'Refresh-attributes' returns 'SC_ERROR_NO_READERS_FOUND'. >>>* >>>* - FIXME: Mac? >>>*/ >>> >>> I just checked on Mac OS X 10.6.8 (Snow Leopard) and I have nearly the >>> same result as on GNU/Linux. >>> On GNU/Linux : new state is 14 =>['Changed', 'Unknown', 'Unavailable'] >>> On Mac OS X : new state is 6 =>['Changed', 'Unknown] >>> >>> On Windows, do you also get the error SCARD_E_NO_READERS_AVAILABLE >>> when you use TWO readers in the SCardGetStatusChange() call? >> I do not completely follow. >> >> SCardGetStatusChange is called by refresh_attributes(sc_reader_t *reader). >> In this context there is only one reader. > The question was about SCardGetStatusChange() on Windows in general > not just its use by OpenSC. > > I will do the test myself. I honestly tried to do it, installed Pyton on windows, tried to run your script. It gave syntax error on 'print' command. I don't know Pyton and postponed 'C' test program until the weeked. That's why such answer. > Thanks > Regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] The biggest threat to Smart Cards - APPLE
2011/7/20 Martin Paljak : > Hello, > > On Wed, Jul 20, 2011 at 10:03, Anders Rundgren > wrote: >> With yet another record-quarter and having one of the most popular devices >> ever made, Apple is in a unique position of enhancing iPhone to also work as >> a stack of smart cards. It is technically by no >> means very difficult either. > > From practical point of view: > I've heard that 10.7 breaks (again) Safari support for smart cards (at > least with OpenSC.tokend). Yet "other browsers" like Chrome work. The > rumor also tells that CDSA (the "crypto platform" behind OS X) has > been deprecated and replaced by something new. > > Will see when their new platform comes out, I don't think it is > reasonable to fight with windmills with a company that is known to do > whatever they want. Lion is now out. An interesting note (from today) about the tokend situation in Lion: http://lists.macosforge.org/pipermail/smartcardservices-users/2011-July/000224.html " On Jul 20, 2011, at 3:00 PM, Walls, Bryan K. (MSFC-EO50) wrote: > Is there an ETA on when there might be an installer package for Lion that > will give a similar setup for smart cards as comes by default with 10.6.8? Bryan, Sorry that we do not have a specific ETA yet, but we are working to provide it ASAP. Keep in mind that you can personally correct things manually right now with bringing the 10.6.x Tokend over and making the /etc/authorization mod if you use for Login. Stay Tuned. -Shawn __ Shawn Geddis geddis at me.com Security Consulting Engineer geddis at apple.com " -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
