Daniel Benoy wrote:
Being able to open the doors with them may make or break my proposal to
my company that we should issue smart cards to all employees.
You most likely do *not* want to use smartcard *contact* readers as a
physical access control system (PACS), except in special, very
low-vo
Daniel Benoy wrote:
Will that use/coexist on the same card with MuscleCard?
It's just a data model. :)
Translation: I have no idea, but it can't be that hard.
-- Tim
smime.p7s
Description: S/MIME Cryptographic Signature
___
Muscle mailing list
M
Daniel Benoy wrote:
If MuscleCard works well for me, I'm going to advocate that we use them
for authentication at my work.
One question which is bound to come up is 'Can we use them to unlock
doors', because we currently use proximity cards.
Is it possible to use MuscleCard to authenticate a
Michael Bender wrote:
> The root cause of all this mess is because none of the smartcard
> manufacturers were
> mature enough to want to work *together* (rather than at cross-purposes)
> when the
> technology was being developed decades ago, so everyone gave lip service
> to the
> "standards" a
On Nov 25, 2007, at 3:14 PM, Kevin Reinholz wrote:
I think there were 28 certs imported from those 3 chains in
Firefox, versus 32 in Internet Explorer.
The difference here is, IIRC, that Firefox doesn't import the
*expired* issuing CAs (3 & 4, both email and ID).
The error you're seeing i
Byron Johnson wrote:
This is partly correct. DoD does not allow you to export private keys, they
are stored and locked onto the CAC card. You can not authenticate someone,
unless your server or meta-directory is granted access to do so. Currently I
know of nothing but AKO that is allowed to do su
Roy Keene (Contractor) wrote:
Thus if your workstation is in a significantly increased position of
risk (i.e., you do not apply security patches, and are not on a network
that blocks known-bad attackers, and there is no IDS/IPS) then any
e-mail you send is at a significantly increased risk of
Roy Keene (Contractor) wrote:
CAC in a Personal (i.e., potentially not managed by someone who meets
DISA requirements for a system administrator, and on a network that
follows DISA guidelines to mitigate risk) machine mostly defeats the
purpose of it.
That's a hell of a claim. Care to back i
Ludovic Rousseau wrote:
Just install the pcscd Ubuntu package from universe. It is version
1.2.9-beta9 for Ubuntu 6.06.
You may also rebuild pcsc-lite 1.4.0 from Debian unstable to have a
more recent package.
Be aware that I've been having problems with Ubuntu 6.10's
libmusclepkcs11 & NSS loa
do the same thing using 'libcoolkeypk11'? If you know of any
document on how to generate the pass-code using Coolkey, would you
please let me know?
Thanks,
--Vasu
On 2/5/07, Timothy J. Miller <[EMAIL PROTECTED]> wrote:
Vasudevan S wrote:
> Hi John,
> Thanks for the response. I a
Vasudevan S wrote:
Hi John,
Thanks for the response. I am using 'activcard' to access my VPN.
I do have coolkey installed. But, I don't know whether it is really
being used rightnow. I will try to gather more data with coolkey.
Coolkey provides a PKCS#11 module (libcoolkeypk11). If your VPN c
John H. wrote:
Yes, that fixes it! That's what I've been wondering how to force it
to do for a while, as I always noticed with IE that it worked with one
but not the other.
Technically speaking, the back-end application should accept either.
Practically speaking, the naive way of mapping cert
John H. wrote:
Am I the only one having problems now with the latest versions of
firefox on using it on CAC sites? There is a bug regarding root CAs
in latest firefox 2.0.0.1, but it seems it may be carrying over.
What problems? Not seeing anything here at my end of things.
-- Tim
smime.p7
Peter Williams wrote:
what is fascinating about the design of the library is not its novelty,
but its audacity. You cannot use the crypto capability of the CAC if (a)
the network is not there (b) the crypto control authority (via signed
OCSP) doest cooperate or opts not to cooperate with you f
Greg Hennessy wrote:
My CAC does indeed have a URI that points to a disa.mil hosts, but I
also don't get a response when
I go to that link. I'll attempt to try Timothy Miller's sugguestion and
see how that fairs. I did note
that if I turned off the enable_oscp pkcs11_inspect did display the
in
Allshouse, Brian M CTR NSWCDD XDT wrote:
The bug has since been fixed and released on Mozilla's site
but I'm sure it's not in FC6.
Bob Relyea told me should be in the RHEL5 beta, but I don't have access
to that at the moment. It'll be in an FC6 update, I should think.
-- Tim
smime.p7s
De
Todd Denniston wrote:
In this certificate there is a section "Authority Information Access"
which contains a OCSP URI definition, pkcs11_vfy is faulting on what it
finds there. The URI (shouldn't that be URL?) that is on mine is a
disa.mil host, which eventually times out when I try to have f
Greg Hennessy wrote:
One certificate seems fine, but can anyone shed light on what Invalid
OCSP signing cert means I did wrong?
You're missing the DoD OCSP signing certificate in your cert store,
that's all. Email me privately from your USN account and I'll send it
to you from my AF account
Todd Denniston wrote:
IIRC from another mailing list I am on, the Fedora version may use
`certutil` instead of pam_pkcs11's `make_hash_link.sh` to create links
to each of the CAs, and I am not sure if they keep them (the CAs) in the
same place as the normal pam_pkcs11.
FC6's pam_pkcs11 is NS
Edward M. Kutrzyba III wrote:
I have CoolKey running to authenticate with my browser (Firefox), but I
cannot sign an email with it. Has anyone signed an email, in
thunderbird, using CoolKey and CAC?
Try reading an encrypted email sent from another client. If that works
then it's probably a
Todd Denniston wrote:
I know there have been a couple of cac updates to coolkey since I got my
copy, but I know this one works.
IIRC the a number of these changes are to accommodate the upcoming
alternative token (smartcard with the ActivIdentity applets on it and
only one cert to enable Win
Todd Denniston wrote:
Do you know how would one set COOL_KEY_LOG_FILE into the environment for
pam??? i.e. it works when I am using it with firefox, my problem was
with pam.
You could try passing it as a boot environment variable--i.e., add
COOL_KEY_LOG_FILE=/tmp/foo to your boot parameters.
Todd Denniston wrote:
Cool, it would be nice to be able to read a log that is not disappearing
while trying to figure out what is going wrong.
FWIW, RedHat has a bunch of patches against 0.5.3 checked into FC5.
Most interesting is they converted it over from OpenSSL to NSS for cert
processin
Todd Denniston wrote:
yours worked better than mine
I seem to be getting that a lot. :)
I can get coolkey to build and install with:
./configure --prefix=/tmp/testbuild/install \
--with-pcsclite=/usr/local/include/PCSC/
[built PCSC-lite from the deban sources according to Andrew Pimlo
Roy Keene (Contractor) wrote:
I've had similar experiences where stopping PCSCD and immediately
restarting it produced this failure mode. Usually waiting longer
between restarts or simply trying again fixed it for me.
I've seen the same thing; I think there's an underlying USB issue.
--
Roy Keene (Contractor) wrote:
This message has been signed using from Thunderbird on Linux using
the CoolKey PKCS11 module without the presence of commonAccessCard.bundle.
Well dip me in batter and fry me like a corndog. Neat.
> src/coolkey/slot.c:
> /* support CAC card. identify the
Roy Keene (Contractor) wrote:
You might also want to look into CoolKey
(http://directory.fedora.redhat.com/wiki/CoolKey) as it doesn't need
commonAccessCard.bundle and seems to recognize a wide range of CAC cards
without the need to update the ATR list or patch libmusclepkcs11.
I don't think
Geoff Elgey wrote:
Same here. I've got a bunch of AirForce-issued CAC cards, which I
haven't been able to read, and CoolKey + pcsclite 1.3.0 + ccid-1.0.0
just worked. Sweet.
Be aware that there will be a new token issued to admins to facilitate
SCL (since Windows allows only a one-to-one mapp
Timothy J. Miller wrote:
OpenSC is on my plate, if for no other reason than the PIV support
that's going in. It's not my current top priority because of the lack
of CAC support, and for now CAC takes precedence over PIV because of the
current and upcoming JTF-GNO orders requiring
Attached is a proposed fix against 1.1.5 to the problem of closing
sessions after logout.
The key of the problem is that when a token doesn't support
MSCLogoutAll() (like the CAC), the card is reset instead. When closing
the session, closeSessionLocked() calls slot_TokenChanged() which sees
Douglas E. Engert wrote:
OpenSC-0.11.0 has PIV support via PKCS#11. The intent was to provide the
client side routines. But for testing the piv-tool can initialize some
test cards if you know the keys and particulars of the card you are using.
OpenSC is on my plate, if for no other reason than
Scott Guthery wrote:
Did somebody forget to take their meds?
Let me second that sentiment. PIV doesn't do any asymmetric operations
over the contactless interface.
-- Tim
smime.p7s
Description: S/MIME Cryptographic Signature
___
Muscle mailing l
Corcoran David wrote:
I may be wrong on this, but I believe you can "simulate" a logout
command by selecting the card's Card Manager and then the applet again.
Not sure if this will work with the CAC since it has a shared ID applet
which manages PIN state, but it is worth a try
I was loo
Todd Denniston wrote:
You are probably a little better in the know than me, so please clarify.
I thought that all the new 64K cards were coming with the PIV applet, is
that incorrect?
I just double-checked: Based on testimony, there is no 32k stock in the
issuance pipeline any more; it's al
Corcoran David wrote:
I may be wrong on this, but I believe you can "simulate" a logout
command by selecting the card's Card Manager and then the applet again.
Not sure if this will work with the CAC since it has a shared ID applet
which manages PIN state, but it is worth a try
That's a
Timothy J. Miller wrote:
Andrew Pimlott wrote:
Perchance, is this related to firefox losing access to the CAC if it is
removed and reinserted while firefox is running? Do you see that
behavior before and/or after your patch?
I didn't see that behavior before and I'm certainly not
Andrew Pimlott wrote:
Perchance, is this related to firefox losing access to the CAC if it is
removed and reinserted while firefox is running? Do you see that
behavior before and/or after your patch?
I didn't see that behavior before and I'm certainly not seeing it after.
-- Tim
smime.p7s
Scott Guthery wrote:
1) The relevant specification is NIST SP 800-73 which does include the
notion of logged-in/logged-out on the client API. It is available at:
NIST800-73 is PIV. PIV != CAC. I have to cope with existing CAC cards
for now and for the next three years at a minimum. The DoD
Timothy J. Miller wrote:
1) Add MSCLogoutAll to commonAccessCard.c. This is probably the best
solution, but I have no freakin' clue how to go about it;
I did some digging on this, and pulled down & perused the NIST gov't
smartcard spec the CAC complies with. GSC-IS has
Timothy J. Miller wrote:
Because if I am, then this looks to be what's biting me in the ass. :)
And indeed, it seems to be so. If I modify C_Logout in p11_session.c to
*not* reset the card after msc_LogoutAll returns an error, the code I've
been having problems with works li
Let me ask a potentially dumb question:
The first thing you do in C_Logout is to start a transaction and do
msc_LogoutAll. If this succeeds, the transaction is ended with
MSC_LEAVE_TOKEN flagged. If msc_LogoutAll returns an error, then the
transaction is ended with MSC_RESET_TOKEN flagged.
Todd Denniston wrote:
I have not tried that yet (locked my card with some of the tests
yesterday), but looking at the changes in the patch still applied (item
7 from Andrew Pimlott[1]) I don't see any thing that should be messing
with the data that is causing the problems.
For the record, w
Edward Kutrzyba wrote:
Did you try the cac bundle without any mods?
The latest SmartCardServices tarball I had was 26726; I just now pulled
26777 and compiled a new bundle without any mods. I'm still getting the
same behavior (MSCIsTokenMoved is told there was a token changed, and
then the
Timothy J. Miller wrote:
1) slot_TokenChanged is detecting a token change when none occurred,
deleting the session prematurely;
Deeper and deeper in the rabbit-hole I go...
So I recompiled everything with symbols so I can step through the whole
schlemiel, and I follow the ball all the way
Timothy J. Miller wrote:
This whole process looks to me like it's detecting a token change
(removal), deleting the session, returning the wrong error code because
of the function failed errors, and then launching us into the second
slot_FreeSession call which is dereferencing a stale po
Timothy J. Miller wrote:
It looks to me that when session_FreeSession is called the session table
has a stale pointer in it. I'm not familiar enough with the code to fix
it (or figure out why it's happening in the first place) yet.
I'm not very good at this, so any help
Todd Denniston wrote:
Tim,
the segfault is happening at:
muscleframework-1.1.5.orig/libmusclepkcs11/src/p11x_session.c:136
[while( prev->hnext != session ) {]
while being called from
closeSessionLocked (hSession=1) at p11_session.c:104
[else if (!CKR_ERROR(rv = session_FreeSession(session)))]
Geoff Elgey wrote:
I can't recall the code mentioned above, but it's very possible that
something quickly written as an example to a mailing list could be
buggy...
The code is from this message:
http://archives.neohapsis.com/archives/dev/muscle/2005-q2/0230.html
And you're right, it might be
I've patched & rebuilt musclecardframework-1.1.5 from Debian and patched
the commonAccessCard bundle library (pulled from darwinsource 10.4.6) as
described at https://airborne.nrl.navy.mil/PKI/.
pcsc_scan, bundleTool and muscleTool are all fine.
I've got libmusclepkcs11 added to Firefox 1.5.0.
49 matches
Mail list logo
