Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-13 Thread Andreas Jellinghaus
thanks, commited to svn trunk. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-13 Thread Jean-Michel Pouré
Le mardi 12 janvier 2010 à 12:13 +0800, Xiaoshuo Wu a écrit : > Thank you for reporting this, it's a flaw in entersafe driver. > I'd like to propose the patch for it, it removes the assert line and > some > unused code, solves a problem with ePass3000, see my attachment. > Regards, Xiaoshuo Dea

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-13 Thread Eric
I have also been contemplating my small personal PKI hierarchy. From the top of my head: The Root CA would function on a dedicated old laptop, disconnected and offline, running off a linux USB stick, with the CA's private keys and intermediate CA's private key backups stored on smart cards, bot

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-13 Thread Eric
> Why don't you want to generate the keys on the card? Under normal circumstances that's the thing smart cards are for. I've got limited experience with PKI policies, but what about key escrow? Or the poor man's version, creating a backup copy of a smart card on another smart card, kept in a f

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Andreas Jellinghaus
Am Montag 11 Januar 2010 14:52:04 schrieb Jean-Michel Pouré: > * I would like to add a page with dummy certificates on the wiki. One > root CA, one secondary CAs and several certs. So that users only have to > download them to test command lines. Would you favor that ? src/test/regression contains

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Xiaoshuo Wu
On Mon, 11 Jan 2010 22:17:09 +0800, Martin Paljak wrote: Is pkcs15-init fully working? Or is it a Feitian card issue or me not fully understanding what is possible to do? pkcs15-init is fully working. The failing assert comes from entersafe (feitian) driver code. Thank you for reporting th

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Jean-Michel Pouré
Le lundi 11 janvier 2010 à 16:53 +0100, Peter Stuge a écrit : > > > Of course, if your card is damaged, lost or stolen, your > > > certification should be revoked by the CA and reissued with a new > > > certification. But you still need the old key to decrypt old data > > > to re-encrypt with the n

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Martin Paljak
On 11.01.2010, at 17:28, Jean-Michel Pouré wrote: > Le lundi 11 janvier 2010 à 16:17 +0200, Martin Paljak a écrit : >> Definitely not. You might find glitches and shortcomings with >> pkcs11-tool but that would just benefit OpenSC as we could see the >> problems and fix them. > > Sorry to insist,

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Peter Stuge
Martin Paljak wrote: > > Of course, if your card is damaged, lost or stolen, your > > certification should be revoked by the CA and reissued with a new > > certification. But you still need the old key to decrypt old data > > to re-encrypt with the new key, right? > > Correct. If encryption code

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Martin Paljak
On 11.01.2010, at 17:28, Eric wrote: > > Why don't you want to generate the keys on the card? Under normal > > circumstances that's the thing smart cards are for. > > I've got limited experience with PKI policies, but what about key escrow? Or > the poor man's version, creating a backup copy of

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Jean-Michel Pouré
Le lundi 11 janvier 2010 à 16:17 +0200, Martin Paljak a écrit : > Definitely not. You might find glitches and shortcomings with > pkcs11-tool but that would just benefit OpenSC as we could see the > problems and fix them. Sorry to insist, but from a user point of view, what is the difference betwe

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Martin Paljak
On 11.01.2010, at 16:30, Peter Stuge wrote: > Martin Paljak wrote: >> for generic educational purposes I would suggest making >> YetAnotherSelfSignedSnakeOilOpenSSLCAGenerationGuide which the >> user could just copy-paste. > > I made one of those some time ago for BincIMAP and while the wiki it

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Peter Stuge
Martin Paljak wrote: > for generic educational purposes I would suggest making > YetAnotherSelfSignedSnakeOilOpenSSLCAGenerationGuide which the > user could just copy-paste. I made one of those some time ago for BincIMAP and while the wiki it lived at is now offline I have mirrored the archived we

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Martin Paljak
On 11.01.2010, at 15:52, Jean-Michel Pouré wrote: > For example, I tried: > pkcs15-init -S foobar.pkcs12 -f PKCS12 --auth-id 01 --pin > --insecure --passphrase "XX" > > but it failed with error messages. > > Importing 1 certificates: > 0: /C=FR/L=Paris/O=Foobar organisation/CN=Foobar

Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Martin Paljak
Hello Jean-Michel, On 11.01.2010, at 15:52, Jean-Michel Pouré wrote: > * I would like to add a page with dummy certificates on the wiki. One > root CA, one secondary CAs and several certs. So that users only have to > download them to test command lines. Would you favor that ? For pure test purpose

[opensc-devel] Feitian Entersafe : transferring a key to a smartcard

2010-01-11 Thread Jean-Michel Pouré
Hello, To clarify my knowledge, I would like to contribute some user documentation on the wiki. The subject of transferring an RSA key pair to a smartcard seems interesting. Here are some newbee questions before I go on: * I would like to add a page with dummy certificates on the wiki. One root