Page #2 of the following document shows what the *real* problem is:
http://webpki.org/papers/keygen2/sks-keygen2-exec-level-presentation.pdf
Anders
http://code.google.com/p/openkeystore
___
opensc-devel mailing list
:
Anders Rundgren wrote:
http://www.theregister.co.uk/2012/11/13/trustzone_company
Smart cards? Don't think so.
TrustZone isn't half bad hardware.
But I bet that the solution they come up with will still use exactly
the same old APDUs, with just a minimum bolted-on, in order to make
something
http://www.theregister.co.uk/2012/11/13/trustzone_company
Smart cards? Don't think so.
Anders
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
http://www.w3.org/2012/09/sysapps-wg-charter
http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc
Since the smart card industry have never managed making their stuff web
compatible before, I assume they will fail this time
03.10.2012 11:09, schrieb Anders Rundgren:
http://www.w3.org/2012/09/sysapps-wg-charter
http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2012%2F09%2Fsysapps-wg-charterurlhash=Tqzg_t=tracking_disc
Since the smart card industry have never managed making their stuff web
compatible
Anders Rundgren:
On 2012-10-03 12:08, Andreas Schwier (ML) wrote:
So why do you think the smart card industry has never managed to get
their stuff web compatible ?
Isn't OpenSC the best example that Yes, you can access a protected
website / webapplication / webservice using a smart card
provides the client cert and key for TLS authentication to the IDP.
Shibboleth is all SAML based, and can work with other SAML based
services.
Support for OTP or whatever then is only needed in the IDP.
Andreas
Am 03.10.2012 11:09, schrieb Anders Rundgren:
http://www.w3.org/2012/09
On 2012-10-02 06:36, Frank Cusack wrote:
.
I've already seen a smartcard that hosts a battery, a display and a
button in a standard ISO form factor (it uses the sc chip to henerate an
OTP every time the key is pressed), so 'technically' we're quite near to
a card that shows
On 2012-09-29 09:01, Frank Cusack wrote:
On Fri, Sep 21, 2012 at 11:58 PM, Andreas Jellinghaus andr...@ionisiert.de
mailto:andr...@ionisiert.de wrote:
Am 20.09.2012 21:06 schrieb Anders Rundgren anders.rundg...@telia.com
mailto:anders.rundg...@telia.com:
http
On 2012-09-29 18:23, Frank Cusack wrote:
On Sat, Sep 29, 2012 at 12:40 AM, Anders Rundgren anders.rundg...@telia.com
mailto:anders.rundg...@telia.com wrote:
Right. There is no point in installing applications in the SE;
applications are installed on top of the OS.
The SE only
On 2012-09-23 12:04, Andreas Jellinghaus wrote:
2012/9/22 Anders Rundgren anders.rundg...@telia.com
mailto:anders.rundg...@telia.com
On 2012-09-22 17:27, NdK wrote:
Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto:
In my mind keys could optionally contain
On 2012-09-22 08:58, Andreas Jellinghaus wrote:
Am 20.09.2012 21:06 schrieb Anders Rundgren anders.rundg...@telia.com
mailto:anders.rundg...@telia.com:
http://nelenkov.blogspot.se/2012/08/accessing-embedded-secure-element-in.html
Very interesting IMHO.
Agree, thanks for sharing
On 2012-09-22 17:27, NdK wrote:
Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto:
In my mind keys could optionally contain application-oriented ACL
telling which
applications they trust so that even if you install a bad App, it
would for
example not be able to use
http://nelenkov.blogspot.se/2012/08/accessing-embedded-secure-element-in.html
Very interesting IMHO.
According to the author SD-slots are becoming exceptions also for Android so
this is
probably what most people will be dealing with.
Anders
___
On 2012-09-05 13:29, helpcrypto helpcrypto wrote:
Huh, I'd guess (hope) nobody would be deploying *RSA* below 2048 bits
(smart cards doing 3k and 4k are also slowly emerging) and elliptic
curves are already becoming a viable option (in commodity software) as
well..
The most advanced i have
On 2012-08-17 22:32, Jean-Michel Pouré - GOOZE wrote:
It also means that the card middleware will be a part of the OS.
This will boost the smartcard technology to a wider public, which are
good news. It is essential to have the smartcard or token in the hand /
in the pocket. You computer
On 2012-08-19 18:55, NdK wrote:
Il 19/08/2012 15:50, Anders Rundgren ha scritto:
Everything you write is fine and probably correct as well.
The only fly in the soup is that *it is not happening*.
I think it will be just like the TPM: when enough people will realize
what it is, it won't get
http://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display
Since Intel have 90% of the PC market this could be quite significant one day.
It also means that the card middleware will be a part of the OS.
Anders
On 2012-08-17 22:33, Jean-Michel Pouré - GOOZE wrote:
Le vendredi 17 août 2012 à 18:13 +0200, Anders Rundgren a écrit :
http://communities.intel.com/community/vproexpert/blog/2012/05/18/intel-ipt-with-embedded-pki-and-protected-transaction-display
Are specs public?
I don't think so. OTOH
On 2012-08-06 11:23, Andreas Schwier wrote:
I would assume, that checking constraints is the job of the RA, not the CA.
Anyway, our design works the other way around: The card generates the
CSR internally, so the RA/CA can prove the key was generated in a
legitimate device. The device can be
On 2012-08-06 12:51, Nikos Mavrogiannopoulos wrote:
On Mon, Aug 6, 2012 at 11:30 AM, Anders Rundgren
anders.rundg...@telia.com wrote:
On 2012-08-06 11:23, Andreas Schwier wrote:
I would assume, that checking constraints is the job of the RA, not the CA.
Anyway, our design works the other way
.
Anders
On 2012-03-26 23:34, Frank Morgner wrote:
On Saturday, March 24 at 07:07AM, Anders Rundgren wrote:
http://www.globalplatform.org/specifications/review/GPD_SE_Access_Control_v0_10_0.pdf
By adding ACL information to keys during enrollment you can limit key
misuse by bad apps.
Although
On 2012-03-26 09:17, helpcrypto helpcrypto wrote:
Another issues with this project is many of the modifications can only be
tested
by a subset of developers (maybe only one) who have the cards that can use
the modification.
Maybe its an stupid idea (or already done), but can't we
http://www.globalplatform.org/specifications/review/GPD_SE_Access_Control_v0_10_0.pdf
By adding ACL information to keys during enrollment you can limit key
misuse by bad apps.
Although GP specifies a generic scheme not limited to SEs, the lack
of developments by the vendors of connected SEs
Although OpenSC may be in a bit of s*** right now, that's a gentle breeze
compared to what is happening in the outside world.
There will be a war between a set of very divided European SC-vendors against
three gaint US corportations who are rolling out virtual smart cards like:
Somewhat related to the OpenSC organization discussions:
http://www.globalplatform.org/documents/Consumer_Centric_Model_White_PaperMar2012.pdf
I must confess I don't understand a thing of this, neither the business model,
the consumer centric concept, or how it integrates in phones that doesn't
On 2012-02-28 12:53, Andy Walls wrote:
On Tue, 2012-02-28 at 06:33 -0500, Andy Walls wrote:
On Mon, 2012-02-27 at 12:23 -0700, Anthony Foiani wrote:
Andy, Ludovic --
On Mon, Feb 27, 2012 at 11:15 AM, Ludovic Rousseau
ludovic.rouss...@gmail.com wrote:
Le 27 février 2012 18:46, Anthony Foiani
On 2012-02-20 23:22, Douglas E. Engert wrote:
On 2/20/2012 3:41 PM, Anders Rundgren wrote:
On 2012-02-20 21:40, Peter Stuge wrote:
Anders Rundgren wrote:
I don't know what USB P11 is, can you send me a pointer?
It's my old idea of implementing PKCS#11 directly over USB. Issues
have been
On 2012-02-21 16:17, Douglas E. Engert wrote:
On 2/21/2012 6:01 AM, Anders Rundgren wrote:
On 2012-02-20 23:22, Douglas E. Engert wrote:
On 2/20/2012 3:41 PM, Anders Rundgren wrote:
On 2012-02-20 21:40, Peter Stuge wrote:
Anders Rundgren wrote:
I don't know what USB P11 is, can you
On 2012-02-21 18:16, Douglas E. Engert wrote:
snip
Pushing the ECDH Key Agreement to the token for use by the token
looks very interesting.
I meant based on your slides it looks like that is what you would like
to do as a new operation.
I'm not sure I understand what you are trying to
On 2012-02-19 19:11, Peter Stuge wrote:
Anders Rundgren wrote:
You didn't hear my presentation at FOSDEM 2012 but it was about
creating a token with a standard API so that you would as a
customer be able to just plug it in.
This is an advantage of USB P11. In Windows 8 and later
On 2012-02-20 21:40, Peter Stuge wrote:
Anders Rundgren wrote:
I don't know what USB P11 is, can you send me a pointer?
It's my old idea of implementing PKCS#11 directly over USB. Issues
have been pointed out, and they would have to be solved of course.
Maybe you would like to have
On 2012-02-20 23:23, Jean-Michel Pouré - GOOZE wrote:
snip
IMHO, CCID is superior as it is really plug-and-play under all systems.
Of course, CCID is needed, but it could be installed under all systems
by default. The last versions of libccid with udev really rocks. Pure
plug-and-play never
IMO the core problem with OpenSC is a that all cards seem to require
a tweak, profile or similar. For government IDs which are driven
by politics rather than reason there is no problem to solve; the
governments simply have to pay the price for demanding uniqueness.
For non-government tokens
On 2012-02-19 13:32, Jean-Michel Pouré - GOOZE wrote:
Anders Rundgren wrote:
For non-government tokens like the excellent Feitian Epass2003
I would consider another approach: Updating the firmware to
emulate PIV so that we can put the middleware aside once and
for all.
I agree completely
TPMs already have an EK (Endorsement Key) on the chip.
However, the TPM guys didn't look into SM (Secure Messaging) so
at least the current version (1.2) is quite crippled.
Microsoft intends making TPM 2.0 a standard feature in W8 pads.
Their take on secure silicon is making it a part of the CPU
On 2012-01-19 09:38, NdK wrote:
Il 19/01/2012 09:16, Peter Stuge ha scritto:
Christian Hohnstaedt wrote:
Anything that can be signed by the card can be signed by a software
key, too.
Yes of course. But the point is that the card can come with the
special key pre-installed.
I see at least
On 2012-01-19 10:16, Frank Cusack wrote:
On Thu, Jan 19, 2012 at 1:10 AM, Anders Rundgren anders.rundg...@telia.com
mailto:anders.rundg...@telia.com wrote:
This is since long solved problem. It is an intrinsic part of
GlobalPlatform
where you don't really use CSR's and PoP's
card standard that would be better
but I'm really only helped by emulating a mainstream card,
whatever mainstream means in this space :-)
Regards
Anders
On 2012-01-09 17:21, Douglas E. Engert wrote:
On 1/7/2012 9:29 AM, Anders Rundgren wrote:
Hi,
I'm not particularly familiar with PIV
Hi,
I'm not particularly familiar with PIV but from the spec it seems that
a PIV card supports 1-3 user certificates selected by some kind of index.
Lets say that I rather wanted 10 certificates, would drivers out there
be able to cope with that?
I understand that this is outside of the actual
Hi CryptoStick/Jan,
Please bear with me, I know very little about PGP but it seems
that the functions you require are supported by most PKI cards
so my question is really: why do you need a patch?
My (not yet activated) plan is emulating a good card (which
I don't know yet..), so I don't have to
Hi Guys,
As you already heard (to death?), I'm working on a smarter smart card which
(with my definition) is a cryptographic module explicitly designed for on-line
enrollment over the web [1].
Anyway, since my core competence is architecture as well as due to limited
funding
the low-level part
On 2011-12-17 21:04, Ludovic Rousseau wrote:
2011/12/17 Anders Rundgren anders.rundg...@telia.com:
Hi Guys,
Hello,
Good evening Ludovic!
As you already heard (to death?), I'm working on a smarter smart card which
(with my definition) is a cryptographic module explicitly designed
On 2011-11-26 09:45, Ludovic Rousseau wrote:
Hello Douglas and Anders,
2011/11/25 Douglas E. Engert deeng...@anl.gov:
On 11/24/2011 4:02 AM, Anders Rundgren wrote:
Hi Ludovic,
You are a true smart card middleware expert.
I'm not and my customers are even less of that.
They just want
On 2011-11-27 14:32, Ludovic Rousseau wrote:
2011/11/27 Anders Rundgren anders.rundg...@telia.com:
On 2011-11-26 09:45, Ludovic Rousseau wrote:
Hello Douglas and Anders,
2011/11/25 Douglas E. Engert deeng...@anl.gov:
On 11/24/2011 4:02 AM, Anders Rundgren wrote:
Hi Ludovic,
You are a true
like EJBCA http://ejbca.org
without low-level platform tweaks.
Anders
unconvinced
On 2011-11-24 10:31, Ludovic Rousseau wrote:
2011/11/23 Anders Rundgren anders.rundg...@telia.com:
Hi,
Hello,
I just wonder what your opinion is about Java smart card io which is a
part of JDK 1.6
On 2011-11-24 09:38, helpcrypto helpcrypto wrote:
We have been using java for quite a long time to use the certificates
stored in our smartcards.
So far, we didnt have many issues.
Actually we are using jss to attack our pkcs#11 module (or csp), but
since we got some problems on osx (i
,
Anders
Cheers,
Rafael.
On Thu, Nov 24, 2011 at 9:19 AM, Anders Rundgren
anders.rundg...@telia.comwrote:
On 2011-11-24 09:38, helpcrypto helpcrypto wrote:
We have been using java for quite a long time to use the certificates
stored in our smartcards.
So far, we didnt have many issues
Hi,
I just wonder what your opinion is about Java smart card io which is a
part of JDK 1.6 and forward.
I did a minute test and it wasn't overly convincing :-(
OTOH, as we all know that smart card middle ware is hell on earth I
may simple haven't given it enough time.
import
F.Y.I.
http://www.globalplatform.org/specifications/review/GPC_2.2_B_RAM_Over_HTTP_1.1.0.3_PR.pdf
It is a horrible idea using TLS-PSK when you can do the same thing PKI.
If you rather use a TLS-server-only authenticated protocol, and and a
dynamically created session-key you can also support
-
http://www.ecsec.de/pub/2007_TrustBus.pdf
http://openidtrustbearer.wordpress.com/2009/12/11/first-impressions-of-isoiec-24727
Is this for real?
Anders
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
On 2011-10-14 17:12, NdK wrote:
On 14/10/2011 12:34, Tomas Gustavsson wrote:
There was still mentioning about smart card middleware in the article. I
didn't quite get it, but anything that still requires installation of
different middle-wares for different cards does not bring us much closer
On 2011-10-13 15:52, Ludovic Rousseau wrote:
From my blog
http://ludovicrousseau.blogspot.com/2011/10/httpmusclecardcom-is-gone-for-now.html
Maybe the time has come for the smart card community to realize
that we live in a web-world and therefore there is a need to be
able to
If the keystore process uses sockets (SKS uses Web Services over sockets),
you could achieve trusted path detection in Linux without any
significant programming at all:
http://welz.org.za/notes/on-peer-cred.html
This scheme is for example used by PostgreSQL for their ident
authentication scheme.
http://msdn.microsoft.com/en-us/library/windows/desktop/bb394820%28v=vs.85%29.aspx
Apparently you can do this in Windows as well if you use sockets for
communication.
Anders
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
Is there any support for trusted (OS-level) PIN input in OpenSC?
Or is this supposed to be catered for by separate PIN-pads only?
I expect this feature will be standard in mobile devices.
Google have even managed to support trusted path in their wallet
application. I don't know anything how this
On 2011-10-10 12:05, Martin Paljak wrote:
Hello,
On Mon, Oct 10, 2011 at 12:27, Anders Rundgren
anders.rundg...@telia.com wrote:
Is there any support for trusted (OS-level) PIN input in OpenSC?
Trusted path for me means guaranteed by tamper-proof mechanisms, which
usually means separate
On 2011-09-22 17:31, Crypto Stick wrote:
The Gnuk project [1] is working on support of ECDSA. But I expect a few
more weeks or months until a public release.
[1] http://www.fsij.org/gnuk/
It was nice to see yet another Open Hardware token project!
The RSA signature numbers were quite
It seems that there are big hopes associated with Microsoft's MiniDriver.
I don't understand why because it is poorly documented, has zero
standards status, and has AFAIK only been implemented in Windows.
Another issue is that I don't see how the MiniDriver provisioning model
could be transferred
On 2011-09-18 11:57, Martin Paljak wrote:
Hello,
On Sep 18, 2011, at 12:17 , Anders Rundgren wrote:
It seems that there are big hopes associated with Microsoft's MiniDriver.
From where?
Windows has 90% of the enterprise desktop market.
Microsoft's recommendation is to use MiniDriver-based
On 2011-08-22 10:40, Vlastimil Pavicek wrote:
I think that MasterCard CAP Visa DPA is the technology to look for.
see:
http://en.wikipedia.org/wiki/Chip_Authentication_Program
Shared secrets are not generally useful with more than one ID-provider.
Anders
Best regards
VLP
On 2011-08-16 17:33, Douglas E. Engert wrote:
On 8/14/2011 10:40 AM, Anders Rundgren wrote:
On 2011-08-14 08:59, Alon Bar-Lev wrote:
There had been always unified API: PKCS#11.
Well, at Microsoft environment there was CryptoAPI Provider.
The good about the CryptoAPI is that it allowed
by consumers
without doing something creative in the lower layers as well.
Microsoft is (based on indirect information...), also working on a new
enrollment system which builds on the MiniDriver.
Anders
On Sun, Aug 14, 2011 at 7:20 AM, Anders Rundgren
anders.rundg...@telia.com wrote:
Writing card
Writing card drivers is quite difficult. That's why Microsoft introduced the
MiniDriver.
The driver model has been very successful for printers since printers have
widely different characteristics. Cryptographic operations OTOH leave very
little (if any) room for variations.
Although cards
On 2011-08-04 18:58, Alon Bar-Lev wrote:
snip
So if p11-kit solves this multiple-access issue, this would great.
This is core issue of OpenSC and should be solved within the core of OpenSC.
Aka - stateless card access.
Another solution is to use key-containers that for standard
cryptographic
With yet another record-quarter and having one of the most popular devices ever
made, Apple is in a unique position of enhancing iPhone to also work as a stack
of smart cards. It is technically by no
means very difficult either.
One may argue that it will take a few years to do that but that
On 2011-07-20 09:30, Martin Paljak wrote:
Hello,
snip
One may argue that it will take a few years to do that but that
should be compared with the EXTREMELY SLOW development going on
in the smart card community. For example there is no [reasonable] way
you can provision a card using a
On 2011-06-17 13:08, Martin Paljak wrote:
https://github.com/MrMEEE/bumblebee/commit/a047be85247755cdbe0acce6#diff-1
A nice example of fine Gtihub code commenting (mis?)use :)
Martin,
You mean that programming really is fun? :-) :-)
Deleting /usr must for and old Windows-hack like me
almost
I don't know what you had in mind with an USB P11 token
but in case you would like to participate in an effort
making sort of a USB P11 token there is already a project
to dig in to:
http://webpki.org/auth-token-4-the-cloud.html
If you take a deep peek in the extensive documentation
you will
On 2011-04-26 14:55, NdK wrote:
Il 26/04/2011 12:41, Anders Rundgren ha scritto:
snip
An unusual (unique?) aspect of the mentioned project is that
it is designed to be integrated in browsers.
It aims at client security. My target is server security, so I don't
have to leave .key files around
http://www.nist.gov/nstic
http://www.whitehouse.gov/the-press-office/2011/04/15/administration-releases-strategy-protect-online-consumers-and-support-in
Why could NSTIC be called a smart card standard?
Well, because a flexible scheme for strong authentication requires that
you can distribute
/http://gcn.com/articles/2011/02/03/nstic-identity-management-challenges.aspx
_Seven years_ after the directive, we're finally making some progress
as DHS, in issuing the PIV Card, Spires said. Some 180,000 cards have
been issued to employees and contractors, primarily in the National
Capital
I wouldn't hold my breath on this one.
External tokens on mobile phones is a difficult idea that most likely
will be marginalized by on-line schemes using embedded crypto hardware.
If there was this One Provider things could be OK, but it is really
the opposite, and it is also getting worse.
Slightly off-topic but I guess some of you guys have more insight in
HSMs than most other people have :-)
In a recent project there were a requirement for frequent and *automated*
renewals of certificates. The renewal procedure is based on creating
a self-signed request which is then signed by
Martin Paljak wrote:
On Sep 12, 2010, at 8:42 PM, Peter Koch wrote:
I got two testcards from certgate in 2008. One was java-based
and one contained a TCOS3-chip. They were planning to offer
an ifd-handler for linux. Since OpenSC has TCOS3 support this
microSD-card might work in combination
Hi,
I don't know how many of you who are aware of Information Cards but they
have been pushed for 5 years by Microsoft with virtually no results.
IMO it is because Microsoft have (like most other US companies)
essentially no experience with tokens for consumers since US on-line
banks
resoli - libero wrote:
Il giorno lun, 21/06/2010 alle 11.05 +0200, Viktor TARASOV ha scritto:
resoli - libero wrote:
This thread is really interesting looking from an italian perspective.
Viktor mentioned the fact that in Italian CNS card PIN and signature are
secure messaging protected, as
Emanuele Pucciarelli wrote:
Hi Anders,
I'm very interested in these matters too. (Thanks, Roberto, for
starting the discussion here!)
Fine!
Moreover, I'm rather curious about SM for digital signature outside
Italy; is it used at all?
It is a used by for example Swedish governments for
I've personally always wondered why the PKCS #11 folks never
considered a central registry like in Windows where
cryptographic providers register themselves, particularly
for user-oriented providers (not HSMs).
I believe Microsoft introduced this 15 years ago...
Note: I don't mean that a kitchen
On 2010-07-18 15:46, Stef Walter wrote:
I'm thinking of using PAM for ideas. If you're familiar with PAM the
following will make sense:
* Directory of configuration files one per application.
* Each file specifies modules to load.
* Default configuration file when an application doesn't
On 2010-07-18 18:49, Stef Walter wrote:
The missing piece is a common standard for specifying which PKCS#11
modules for an application to load.
This is not what Microsoft and Apple offers.
They offer a directory of providers. If apps want to
discriminate against certain providers they can
It always felt like a good idea creating a card-edge standard
for tokens that only are used for login etc. That the methods
for initializing cards as well as provisioning/managing credentials
are even more non-standard than just using them was the ultimate
motivator!
Slightly related. I wonder
On 2010-07-15 12:24, Jean-Michel Pouré - GOOZE wrote:
On Thu, 2010-07-15 at 11:50 +0200, Anders Rundgren wrote:
It always felt like a good idea creating a card-edge standard
for tokens that only are used for login etc.
IMHO, OTP (One Time Passwords) generators, following OATH standard
On 2010-07-15 14:04, Göran Melvås wrote:
But until you have a federation type of logon service like SAML or opened or
(central PKI like Cryptomatic or Norwegian BankID).
You have to have multiple tokens...
Here we enter a somewhat religious area..
Personally I doubt that we will ever get
) patents is a
very bad idea that only stifles progress...
Anders
Martin Paljak wrote:
On Jul 5, 2010, at 9:28 AM, Jean-Michel Pouré - GOOZE wrote:
On Sat, 2010-07-03 at 10:32 +0200, Anders Rundgren wrote:
Everything is in a rather early state but it is already working as an
emulator
Although not currently directly related to OpenSC, this project addresses
the same needs but in a *very* different way.
The idea is creating a standardized cryptographic container that is only
intended
for authentication to services on the Internet which means that it is
useless as the
Martin Paljak wrote:
What is BSI/ISO Web Service stack for smart cards ?
Does it have something to do with the new JavaCard 3?
Since ISO standards have to be *paid for* (what were they
smoking when they took that decisions) I don't have
the specifics but the German ecard build on this:
ean-Michel Pouré - GOOZE wrote:
* USB key support beyond CCID
It seems that MS Windows incorporates a mechanism which allows USB token
to work without driver. So there is probably a standard. It would be
nice to hear from that standard.
I'm also curious about this. They (MSFT) claim
Jean-Michel Pouré - GOOZE wrote:
On Thu, 2010-07-01 at 09:45 +0200, Anders Rundgren wrote:
I'm also curious about this. They (MSFT) claim that minidriver is
the future but it is just an abstraction layer, you still need a
driver although a simple(r) one.
I have no idea how MSFT works
Peter,
I think Martin's approach is quite reasonable since it has a good chance
working with existing cards, browsers and PCs.
If you (like me) want to push the envelope a bit further and leaving
the legacy of 7816, File systems, ASN.1, PKCS #15, PC/SC, serial interfaces,
stuffed in electronics
Hi J-M,
Are you sure that this is correct?
Why would a vendor use HID when there is a generally supported
Mass Memory class?
HID is used by some USB stick vendors but for entirely different
purposes like generating OTPs.
Mass memory Human interface device.
Regards
Anders
Jean-Michel Pouré -
I doubt that SCP01 (is that what you refer to or what?) is useful
in browsers but I leave that for you guys to find out :-)
Gemalto has/is also pushing this concept though:
http://w2spconf.com/2009/papers/s4p4.pdf
My opinion is that you need a subsystem in the browser, like
an upgraded keygen
gilles Bernabé wrote:
2010/4/29 Anders Rundgren anders.rundg...@telia.com
mailto:anders.rundg...@telia.com
I doubt that SCP01 (is that what you refer to or what?) is useful
in browsers but I leave that for you guys to find out :-)
Gemalto has/is also pushing this concept
Peter Stuge wrote:
Anders Rundgren wrote:
Rolling your own USB device classes isn't completely
without issues as this bright young man describes it:
http://fourwalledcubicle.com/blog/archives/561
Right, when a USB interface becomes widely adopted it certainly
does make sense to have
Is my assumption that the amount of PKCS #11 needed for doing
TLS-client-cert auth or S/MIME is close to nothing?
I also guess that the CryptAPI support needed for AD login
with a certificate is very small, right?
I'm asking because Peter's idea to emulate PKCS #11 directly
is horrendous if the
Martin Paljak wrote:
snip
I would still use an actual crypto IC for key operations,
If you need multiple MCUs the scheme will be costly. I think
there is plenty of lebensraum between passwords written down on
Post-It notes and EAL5++ certified eID cards.
Here is a candidate for the
Peter Stuge wrote:
Anders Rundgren wrote:
There is no such thing as talking directly to USB if you want your
stuff to run in an ordinary computer
Hm - what do you mean?
I took it for granted (maybe incorrect) that the operating
system, libusb, or whatever is running the show assumes
Rolling your own USB device classes isn't completely
without issues as this bright young man describes it:
http://fourwalledcubicle.com/blog/archives/561
Anders
Peter Stuge wrote:
Anders Rundgren wrote:
There is no such thing as talking directly to USB if you want
your stuff to run
Martin Paljak wrote:
Last but not least, there needs to be a balance between (security)features
and price, and nifty features like trusted PDA-s (such as [1]) with a
kickass display, verified firmware (not needed if you don't care) don't come
cheap.
No, but unlike smart cards which have
Jean-Michel Pouré - GOOZE wrote:
On Mon, 2010-04-19 at 06:51 +0200, Anders Rundgren wrote:
I'm still quite uncertain on what to emulate in order to get a
middleware-free token. CCID yes, but above that level things
looks much more unclear.
Before working on a new token, we recommend
1 - 100 of 134 matches
Mail list logo