Hi,

--- David Corcoran <[EMAIL PROTECTED]> wrote:
> Definitely.  The interface exported must be a subset
> of the
> available functionality or else someone could write
> a worm which does a
> Verify Key function incorrectly and blocks cards
> where services are
> available.  

Even worst. If you leave your card with your private
PGP key in the reader and the smartcard is accesible
to anybody over the net, somebody could connect to it,
and write signed messages with your private key, read
your private e-mail...

He only needs your PIN, that he can get by snooping
the network, or donig trial and error.

> A signature function must be carefully
> exported and
> authenticated to so it does not perform signature
> operations for undesired
> applications.  Currently this is protected by a PIN
> number so secure PIN
> transfer is a must.  Also, blocking the PIN is a
> concern....
>

IMO the smartcard, like your private key or your login
password must be kept private, and only accessible to
the local authenticated user.

We are supposed to be enthusiasts of smartcards as the
best security token to provide security services such
as authentication and privacy.

So if we are designing a system to authenticate and
earn secure access to a remote smartcard, we would en
up getting to the paradox that we would need another
local smartcard to athenticate to the remote
smartcard, 

Of course this is a madness and doesn't make any
sense, as it leads to an infinite loop ;-)

Again, I would pay more athention to local security.
Why is the file /tmp/.pcscrx world writtable? isn't
this a security hole? 
 
> Dave
> 
>
***************************************************************
> Linux Smart Card Developers - M.U.S.C.L.E.
> (Movement for the Use of Smart Cards in a Linux
> Environment)
> http://www.linuxnet.com/smartcard/index.html
> ***************************************************************

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************

Reply via email to