On 17.05.2007, at 23:12, Larner, Russell wrote:
> None of my test cases included writing certificates to the card on the
> Macintosh, however I could see there might be problems with the
> certificate cache.
If you're in the mood of hacking you could generate the tokend UUID
by hashing the num
OK, I have taken the RSA patch, and added most of the minor changes to
what I had been working on: to use 2048, 1024 and 3072 bit keys,
allow for creating the 9A, 9C and 9D keys and having the sc_pkcs15emu
and framework determine the modulus_length from the cert if the
objects indicate it is = 0.
None of my test cases included writing certificates to the card on the
Macintosh, however I could see there might be problems with the
certificate cache. I don't know enough about the Macintosh tokend
design to know a good fix for it.
You're right - auth certs are mandatory. However, I haven't b
Hey,
Please explain the motivation for this caching scheme, and please
outline how it works.
On Thu, May 17, 2007 at 02:40:21PM -0500, Douglas E. Engert wrote:
> I really don't like adding card manufacture specific code to get
> the serial number of the card to what should be generic PIV code.
If the purpose of this is so Mac tokend can associate a cert with
a card, and we used a card serial number, what happens if new
certs are written to the card?
In your patch you spell out 4 choices for the serial number.
This problem sounds like #3. Would the Mac realize the certificates
have chang
>From what I have been able to determine, the CHUID is only guaranteed to
be unique for a single person - not across multiple cards. In other
words, if someone looses their card and is issued a new one, I believe
that the CHUID may still be the same while all their certificates would
have changed.
On Thu, 2007-05-17 at 10:28 -0500, Douglas E. Engert wrote:
> Thomas,
> I am in the process of updating the PIV code in the OpenSC package
> to support RSA 2048 and 3072 bit keys. This include being able
> to use the PIV-tool to generate them, and the openssl req with
> the engine to generate a r
Larner, Russell wrote:
> I was wondering about that - we only have Oberthur and Gemplus cards to
> test with. There is the possibility of using other bits in the flag
> configuration to allow some other type of serial number calculation.
Since PIV is an application on a card, and cards may stor
Thomas Harning Jr. wrote:
> On Thu, 2007-05-17 at 10:28 -0500, Douglas E. Engert wrote:
>> Thomas,
>> I am in the process of updating the PIV code in the OpenSC package
>> to support RSA 2048 and 3072 bit keys. This include being able
>> to use the PIV-tool to generate them, and the openssl req
'Hard-coding' the PIN length requirements in the PIV card driver is
definitely not optimal. However, there wasn't much choice since it is a
requirement in FIPS 201 that some cards (Oberthur and Gemplus) don't
implement.
The OpenSC patch was done against 0.2.11-rc1, but I've applied it
against 0.2
I was wondering about that - we only have Oberthur and Gemplus cards to
test with. There is the possibility of using other bits in the flag
configuration to allow some other type of serial number calculation.
(Also note that, if it can't find the CLPC, then a 'NULL' serial number
is used - so that
On Thu, 2007-05-17 at 11:04 -0400, Larner, Russell wrote:
> This was fairly complex, due to issues in the PIV specifications. See
> the new comments in piv_get_serial_nr for more details. It is needed
> in SCA since the serial number is used to cache certificates. (I.E.
> the Macintosh Keychain
Larner, Russell wrote:
> My company has been working with the PIV functionality in OpenSC and
> SCA, and we needed to add a couple of features:
>
> - Individual PIV card serial number calculation (to enable correct cert
> caching in SCA)
>
> This was fairly complex, due to issues in the PIV
Thomas,
I am in the process of updating the PIV code in the OpenSC package
to support RSA 2048 and 3072 bit keys. This include being able
to use the PIV-tool to generate them, and the openssl req with
the engine to generate a request, signed by the key.
I have a number of questions about what yo
My company has been working with the PIV functionality in OpenSC and
SCA, and we needed to add a couple of features:
- Individual PIV card serial number calculation (to enable correct cert
caching in SCA)
This was fairly complex, due to issues in the PIV specifications. See
the new comments in
15 matches
Mail list logo
